Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We have a guest book page that being hit by spam bot.
Currently we've dispose the page, but the spam bot was keep hitting that page, that cost us a lot of Apache thread and processes. Though it's only showing Apache's default forbidden page, but still it takes/needs Apache threads.
The question is: is there anything I can do to block request to that specific page so it won't take any Apache's thread? Because it hits us ten of thousands time each day.
As a note, they are using thousands of IPs. I don't even know whether they have static IP or not because it keeps on changing. So I can't just block the IP using firewall.
We have a guest book page that being hit by spam bot...
As a note, they are using thousands of IPs. I don't even know whether they have static IP or not because it keeps on changing. So I can't just block the IP using firewall.
Well, that probably means that it isn't a bot but a botnet (ie, a network of computers, which have been perverted in their function). This does make it difficult to block addresses in the firewall. There are modules for doing just this kind of thing, but if you have to look up 10,000 addresses you may well reduce this problem at the expense of creating a new potential problem with DDoS attacks causing crashes. This is not necessarily advisable...
Does the user agent change? If not then block the bot by user agent rather than IP. Of course this isn't foolproof either and will still require some processing.
Using a captcha may stop the bot from posting messages but it won't do anything to reduce the traffic load, it may in fact increase it if the bot repeatedly tries to solve the captcha.
If the load is heavy and you can't block it at the server you'll need to work with your provider to block it further up the network.
Well, that probably means that it isn't a bot but a botnet (ie, a network of computers, which have been perverted in their function). This does make it difficult to block addresses in the firewall. There are modules for doing just this kind of thing, but if you have to look up 10,000 addresses you may well reduce this problem at the expense of creating a new potential problem with DDoS attacks causing crashes. This is not necessarily advisable...
==> So is there anything I can do?
Quote:
Originally Posted by paulsm4
Hi -
I think the best you can do, if you can't blacklist the spambot, is probably probably just to serve a null, zero-byte web page.
==> currently I use a blank page which I set to 000 permission which caused 403 page is displayed. but still my Apache has to serve one extra useless thread every seconds...
Does the user agent change? If not then block the bot by user agent rather than IP. Of course this isn't foolproof either and will still require some processing.
Using a captcha may stop the bot from posting messages but it won't do anything to reduce the traffic load, it may in fact increase it if the bot repeatedly tries to solve the captcha.
If the load is heavy and you can't block it at the server you'll need to work with your provider to block it further up the network.
==> I have completely remove that page so basically I don't need any captcha. I just want to block it's request towards my Apache.
==> currently I use a blank page which I set to 000 permission which caused 403 page is displayed. but still my Apache has to serve one extra useless thread every seconds...
==> I have completely remove that page so basically I don't need any captcha. I just want to block it's request towards my Apache.
Ok...did you read NyteOwl's reply????
Quote:
Originally Posted by NyteOwl
If the load is heavy and you can't block it at the server you'll need to work with your provider to block it further up the network.
Since you're dealing with a botnet, you won't be able to block ALL the addresses...as soon as you block one, another will come up, as was discussed earlier.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
