[BlueOnyx:08921] IP blocks for httpd and hosts.deny

Jim Matysek matysekj at usms.org
Fri Oct 28 11:58:48 -05 2011 

I have two somewhat related questions/issues with setting up and/or 
finding IP blocks for the httpd service.

First, we had a very persistent attempt at SQL injection from an Asian 
IP address yesterday (over 227,000 hits). Once I saw it, I added that IP 
address to /etc/hosts.deny. The hits persisted in 
/var/log/httpd/access_log with 200 status. I then added a deny line in 
the .htaccess file for that IP and while the hits persisted, they were 
now all getting 403 status. One issue is that this still fills up both 
my access_log and error_log to the point that it's hard to find other 
things there. Is there a way to block httpd access to an IP address that 
will keep all attempts out of the httpd logs? Also, I had always thought 
that any IP addresses listed with ALL: xxx.xxx.xxx.xxx in the 
/etc/hosts.deny file would accomplish this. Apparently not, or if it 
will, is there a specific service I need to restart for it to take 
effect? I did restart httpd yesterday and it didn't change anything.

Second, I've got one valid user who suddenly over the past week can not 
access any pages on our main site. She just gets a blank page or a 
timeout message. She's tried with 3 different browsers and has tried 
clearing her cache, all with the same results. I checked and her IP 
address doesn't appear in /etc/hosts.deny or in the "Blocked hosts" tab 
in the BO GUI under Security / Failed Logins. I also checked 
/etc/apf/deny_hosts.rules and her IP isn't there either. Is there 
somewhere else to look? The odd thing is that I see her requests in 
/var/log/httpd/access_log with a 200 status, but the amount of data 
returned is shown as about half that for any other request from others 
on the same URL. That sounds more like a browser cache issue to me, but 
she's tried this with 3 different browsers with the same results. I'm at 
a loss for where to look next. I have asked her to try to access other 
sites on the same virtual server and on another VS, but have not heard 
back the results from her on those attempts.

-- 
Jim Matysek

More information about the Blueonyx mailing list