Re: [SLUG] weird web site viewer

• Next message: Chuck Hast: "Re: [SLUG] weird web site viewer"
• Previous message: Eben King: "[SLUG] weird web site viewer"
• In reply to: Eben King: "[SLUG] weird web site viewer"
• Next in thread: Chuck Hast: "Re: [SLUG] weird web site viewer"
• Reply: Chuck Hast: "Re: [SLUG] weird web site viewer"
• Reply: Eben King: "Re: [SLUG] weird web site viewer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wednesday 19 April 2006 01:41, Eben King wrote:
> I have a small, personal web site, served using thttpd (I said it was
> small). I run it on port 81, to avoid the IIS attack du jour.
>
> There is one machine that's made about 300 hits since 13/Apr/2006:11:47:57,
> often hitting the same page dozens of times in a row, with 8-60 seconds
> between hits. His hits stop coming in the evening and resume in the early
> afternoon. What's the deal here? How can I cut him off, using e.g.
> hosts.deny or similar (I already have ALL : ALL in there)?

You are using the builtin firewall are you not?

If it's always on the same IP you can add an entry like DROP. Though I'd be
curious about what he's doing. Have you tried recording the traffic and
inspect what he's doing?

BTW, one thing to keep in mind when you add the entry is that firewalls either
act on the first matching record or the last. If you are using iptables then
it's the first matching rule that wins. So you might want to use something
like this where you first have his drop then the accept rule for all others.

-A RH-Firewall-1-INPUT -s <enter.block.ip.here> -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

Of course if any line wraps here make sure it's on one line
in /etc/sysconfig/iptables. The above drops all traffic from that address, it
will look like you went away. If you prefer to play nice you would replace
the DROP with a REJECT. (Again this is iptables syntax.)

Playing nice is important for those who have various legit or should I say
important traffic, moving through. Then you want to pay more attention on
your equipment working standardly with others. For a home setup where you
don't really care and are more concerned about security you can use DROP and
disappear.

-- 
Steve Szmidt
"For evil to triumph all that is needed is for good men to do nothing.
						Edmund Burke
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

• Next message: Chuck Hast: "Re: [SLUG] weird web site viewer"
• Previous message: Eben King: "[SLUG] weird web site viewer"
• In reply to: Eben King: "[SLUG] weird web site viewer"
• Next in thread: Chuck Hast: "Re: [SLUG] weird web site viewer"
• Reply: Chuck Hast: "Re: [SLUG] weird web site viewer"
• Reply: Eben King: "Re: [SLUG] weird web site viewer"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:36:25 EDT