Hello,

I a newbie who is also an admin have my server logs full of non existing file requests from anonymous clients. Probably the more experienced people here understand that as such it is not much a threat until the server is compromised.

I wan't to get back on them and serve them 10mb page full of garbage and all that you can imagine for each 404 status.

i have researched the mod rewrite tool of Apache but couldn't find a solution. The errordocument directive also send a 404 status. But i want to hide the fact to that client and say 'the file you asked is here and it is 10mb file have it and eat it.

Is it possible?

thanks and best regards

cmg

How can you be an administrator who is a 'newbie'?? Especially since you've been here and using Linux for EIGHT YEARS??? And you said you were 'new to webserver administration' two years ago:
https://www.linuxquestions.org/quest...3/#post5772561
So you purposely want to slow down your web server, saturate your network connection, and make your other users go SLOWER, to shove 10MB files down to suspected attackers, or one of your legitimate users who just miskeyed something?
Very possible; build your custom 404 page and include whatever you like on it.
https://httpd.apache.org/docs/2.4/custom-error.html

But instead of doing something that will only make things worse, you would be far better off by implementing security on your web server, tightening up your firewall, and making sure that IP blacklists are in place to prevent spammers/attackers from getting TO your server, rather than slowing down everyone/everything on purpose.

Well to say that i am a newbie... my bad.
But i also am not that knowledgeable that is why i am here and requesting help.

It is true i started learning linux and stuff on my own personal way as a hobby and some what professional administration for web servers which i think i can monetise for a few bucks.... but please don' blame me for asking something i don' know. I don' have any professional degree in this field. all i learnt is from groups like these and help pages and support from really good people like yourself.

the server in question is my own web server which is hosting my website which dosen't get a lot of traffic right now (sad thing) but i hope it does in future like a billion or so hits per month (GOOGLE)

i am used to getting these type of traffic while analysing such client requests and i have tried actively trying to block countries known for such things but it is not enough. those things somehow manage to creep into system to crawl for what not. They have now started bruteforce checking pages with 5 chars. and daily some 500 access log is there for such activites. My regular page views are not very high to mention them here and blush myself but these bruteforce checking for pages does worry me. They are also looking for all wordpress /phpmyadmin/ and all such known application file structures on my server. recently they started for fckeditor, god know what bug they found in that but they are looking for it in my server!!! thankfully i generally don't use such software on my production server and just use plain old simple php html css and js files. too bad for them till they find it out )

I think if i serve them pages just like i told you above, my server would be just about fine becasue they start these scans generally about midngiht localtime, but those miscreant will think twice before scanning my dirs like this with my proposed response. My regular customer may not find it that much problematic as he/she visits only the genuine page, if any error they are free to contact me. Sometimes there need to be some intereaction betweeen service provider and service receiver...

Your professional opinion is highly valued by me but i just want to show these bruteforce people the mid****ger. They have spooked me that much that my flight or fight response has been triggered and i will fight them come what may.

i saw the apache page but i have doubt if it still serves the 404 status code, because i don't want the recipient to know that the file is not found but take whatever i serve.

the Errorreponse code sends the status also i think thats why i am asking for guidance here. i don' want to send the 404 status and instead send 200 status with this file. so can it be possible.

thanks and i din't want to offend anyone just that ...

best regards and have nice morning

cmg

wow it has been 8 years... time flies supersonic

The biggest 404 hitter on my server is for /apple-touch-icon*.png files, which are, I believe, requested by visitors using iOS devices instead of the "normal" favicon.ico. At around 2000 hits per day, returning anything except a minimal 404 page would bring my server to it's knees (as TB0ne has pointed out)...and it would discourage visitors to mine, and more importantly, my customer's web sites.

That the iOS devices ask for those files is not anything anyone can control, AFAIK.

Definitely a really bad idea!


EDIT: Set up fail2ban and block the offending IPs

2 members found this post helpful.

Twice, two years apart??
Not blaming you for anything, but after eight years, you must have learned SOMETHING, especially since you've been doing web administration for two.
...and no matter WHAT time of day you're serving up that data, you are STILL going to bring your server to its knees, if not crash it totally. Think about what you're wanting to do; do you REALLY want to serve up a gigabyte every minute?? Especially since the people who are doing this have other computers doing it...all that's going to do is encourage them to do MORE, since **EVERY SINGLE BAD FILE** they try to get will happily net them 10MB of data...they won't know what it is, until they look at it, but they're still going to download it. At your expense.
If you're not going to take advice from folks, there's no point in asking. Again, there are MANY bad things about doing what you want to do.
Again, yes. Follow the instructions for the 404 page, which will give them whatever you want, including sending them to a page that DOES exist, with a 10MB file attached to it.

Like you were told, you need to be PROactive instead of REactive....enable and use proper security, to prevent such things from ever reaching your server. Use things like scasey told you about, like fail2ban. Use the many, MANY existing web protection tools available, instead of doing this.

2 members found this post helpful.

Just for educational purposes I'll show how to hide a 404 response:
But I also ask you to reconsider what you're trying to do. I fully agree with TB0ne's post above.
You are going to stress your server and consume all your bandwidth, sending MBytes to bots that can do hundreds of hits per second.

IMO mod_security and/or fail2ban are better ways to protect your server.


Regards

3 members found this post helpful.

Thank you very much.

I heed your advice TB0ne and also of solution proposed by scasey.

bathrory thank your for the example. I learned something new.

With best wishes

CMG