We help IT Professionals succeed at work.

How to prevent Apache from being accessed by spammers

neal wang
neal wang used Ask the Experts™
on
In my apache 2.4 configuration httpd.conf file I have port forwarding and reverse proxy configurations. However it looks like I'm getting foreign spammers trying to forward use my apache to forward to their malicious sites.

I've already set override to this:
<Directory />
    AllowOverride All
    Require all denied
</Directory>

I also set the logs from %h to %{X-Forwarded-For}i (to see the ip addresses)

I see the ip addresses and I put the deny of the website in .htaccess file but I'm still getting a lot of logs from the spammer.

How do I prevent spammers and from spammers blowing up my log files in apache?

Here is an example from my access_log and error-logs

access log:

- - - [10/Jan/2020:00:10:23 +0000] "GET http://www.qyl788.com:777/js/main.min.js?e81cf HTTP/1.1" 302 - "http://www.qyl788.com/" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Ubuntu/10.10 Chromium/10.0.648.127 Chrome/10.0.648.127 Safari/534.16"
- - - [10/Jan/2020:00:10:36 +0000] "GET http://www.qyl788.com:777/js/main.min.js?1b3038fb98e71c3c8597d2f5ae580 HTTP/1.1" 302 - "http://www.qyl788.com/" "Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:1.9.0.9) Gecko/2009042113 Ubuntu/9.04 (jaunty) Firefox/3.0.9"

error log:

[Fri Jan 10 01:16:57.258926 2020] [access_compat:error] [pid 74944] [client 115.236.23.214:62608] AH01797: client denied by server configuration: /var/www/html/TP
[Fri Jan 10 01:16:57.596460 2020] [access_compat:error] [pid 74945] [client 115.236.23.214:2029] AH01797: client denied by server configuration: /var/www/html/TP
[Fri Jan 10 01:16:57.937460 2020] [access_compat:error] [pid 74941] [client 115.236.23.214:5508] AH01797: client denied by server configuration: /var/www/html/thinkphp
[Fri Jan 10 01:16:58.283250 2020] [access_compat:error] [pid 74942] [client 115.236.23.214:20863] AH01797: client denied by server configuration: /var/www/html/html
[Fri Jan 10 01:16:58.628610 2020] [access_compat:error] [pid 74943] [client 115.236.23.214:23522] AH01797: client denied by server configuration: /var/www/html/public
[Fri Jan 10 01:17:01.977369 2020] [access_compat:error] [pid 75612] [client 115.236.23.214:27359] AH01797: client denied by server configuration: /var/www/html/TP
[Fri Jan 10 01:17:02.313873 2020] [access_compat:error] [pid 74944] [client 115.236.23.214:41613] AH01797: client denied by server configuration: /var/www/html/elrekt.php
[Fri Jan 10 01:17:02.646828 2020] [access_compat:error] [pid 74947] [client 115.236.23.214:43978] AH01797: client denied by server configuration: /var/www/html/index.php
[Fri Jan 10 01:17:02.996386 2020] [access_compat:error] [pid 74945] [client 115.236.23.214:48089] AH01797: client denied by server configuration: /var/www/html/
[Fri Jan 10 01:32:29.429537 2020] [proxy:error] [pid 74941] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:32:29.429587 2020] [proxy_http:error] [pid 74941] [client 156.252.238.37:15624] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:34:42.850092 2020] [proxy_http:error] [pid 80453] (70007)The timeout specified has expired: [client 156.252.238.33:12880] AH01110: error reading response, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:19.160093 2020] [proxy:error] [pid 82590] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:19.160148 2020] [proxy_http:error] [pid 82590] [client 156.252.238.50:19316] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:19.160417 2020] [proxy:error] [pid 82591] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:19.160464 2020] [proxy_http:error] [pid 82591] [client 156.252.238.50:19252] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:19.160718 2020] [proxy:error] [pid 82592] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:19.160757 2020] [proxy_http:error] [pid 82592] [client 156.252.238.50:19276] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:19.167800 2020] [proxy:error] [pid 82593] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:19.167837 2020] [proxy_http:error] [pid 82593] [client 156.252.238.50:19288] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:20.236770 2020] [proxy:error] [pid 82620] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:20.236770 2020] [proxy:error] [pid 82623] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:20.236873 2020] [proxy_http:error] [pid 82620] [client 156.252.238.50:19396] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:20.236873 2020] [proxy_http:error] [pid 82623] [client 156.252.238.50:19346] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:20.237263 2020] [proxy:error] [pid 82626] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:20.237260 2020] [proxy:error] [pid 82619] (70007)The timeout specified has expired: AH00957: HTTP: attempt to connect to 67.21.95.219:777 (*) failed
[Fri Jan 10 01:40:20.237315 2020] [proxy_http:error] [pid 82626] [client 156.252.238.50:19246] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
[Fri Jan 10 01:40:20.237315 2020] [proxy_http:error] [pid 82619] [client 156.252.238.50:19248] AH01114: HTTP: failed to make connection to backend: www.qyl788.com, referer: http://www.qyl788.com/
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Use host allow / deny to allow proxy access only from known / allowed sources.

Author

Commented:
How do I do this?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
(host allow/deny  is apache 2.2... i overlooked the 2.4 you mentioned)

proxying / forwading will NOT touch your disk, so a <Directory > entry will not help in fending those services.
I need to be done on the <Location > entries, or <VirtualHost entries>

Check this part of the apache config:
https://httpd.apache.org/docs/2.4/howto/access.html

<RequireAll>
    Require all granted
    Require not ip 10.252.46.165
</RequireAll>

Open in new window

David FavorFractional CTO
Distinguished Expert 2018

Commented:
Easy. You'll do this like all large companies do this.

Install Fail2Ban, then...

Write a simple recipe to block an IP for 1 day, which accesses your machine by IP, rather than host/domain.

This always points to hackers, as probing by IP never occurs when looking up a real Web site.

Fail2Ban will manage blocking/unblocking IPs, because once one IP is blocked, the attacker's software will usually rotate to a new IP in milliseconds, so hand editing files will only work where 1x attacking IP is involved + fail for all Bot Farm attacks.
Distinguished Expert 2017

Commented:
please clarify what you have. A reverse proxy can not be overtaken by external

limit as others pointed out your port forwarding settings

not sure what your setup is that you need port forwarding from apache.
There are different ways to achieve the same thing.

i.e. use workers to interact with other things on your LAN
coworkers recommended nginx so I'll be evaluating this
nociSoftware Engineer
Distinguished Expert 2018

Commented:
nginx has some definite pro's (scales better in large environments) the question was about  Apache though.
nginx still requires setting up access rules like:

location / {
    deny  192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny  all;
}

Open in new window


See also here: https://nginx.org/en/docs/http/ngx_http_access_module.html
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Note: NGINX is a Web server proxy + has nothing to do with blocking attack traffic.

To block attack traffic, you'll use Fail2Ban with either your Apache logs or NGINX logs as input data.