Correct way to block "www.example.com:80" HTTP HOST

Forum Moderators: phranque

Message Too Old, No Replies

Correct way to block "www.example.com:80" HTTP HOST

All seem to be harvesters using HTTP 1.0 clients

Wizcrafts

5:14 am on Apr 18, 2007 (gmt 0)

My raw access logs are revealing a lot of attempts, from previously blocked CIDRs, to download only .html files, where the SERVER_PROTOCOL is "HTTP/1.0" and the HTTP_HOST is always listed as "www.example.com:80" and the USER_AGENT is either blank or one that is phoney and on my blocklist. Normal requests do not include the :80 port assignment, ever. So far I have been blocking the CIDRs from which these probes arrived, or the user agents, but I would like to block the port 80 probe itself, without blocking normal traffic. Will the following accomplish this goal?

RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0
RewriteCond %{HTTP_HOST} ^www.example\.com:80$
RewriteRule .* - [F]

Sample:
69.65.***.*** www.example.com:80 - [09/Apr/2007:01:53:53 -0600] "POST /cgi-bin/mt/mt-tb.cgi/_332 HTTP/1.0" 403 67 "-" "Snoopy v1.2.3"

Are these Telnet probes, or some other type of blog spamming tool?

Thanks in advance

[edited by: Wizcrafts at 5:29 am (utc) on April 18, 2007]

jdMorgan

5:48 am on Apr 18, 2007 (gmt 0)

{SERVER_PROTOCOL} is the maximum protocol level of your server itself. You'll need to block by the protocol that the *client* is advertising:


RewriteCond %{THE_REQUEST} HTTP/1\.0$
RewriteCond %{HTTP_HOST} ^www\.example\.com:80$
RewriteRule .* - [F]

I've never (or rarely) seen this kind of access, so I don't know who/what they are.

Note: {THE_REQUEST} is the entire HTTP request header received from the client. Example:

GET /index.php?page=main HTTP/1.1

Jim

Wizcrafts

6:03 am on Apr 18, 2007 (gmt 0)

Jim;
Thanks for the clarification about the way to block the client's protocol. I almost had it right.

I began seeing these port 80 requests in both GETs and POSTs that are mostly, but not entirely related to my blog. I had to disable comments and trackbacks on my MT blog after coming under a heavy spam attack from Russian and Ukrainian blog spammers. Despite my disabling MT comments and trackbacks and deleting their Perl scripts, and posting a notice that no comments or trackbacks are allowed, and deleting all comments (even my own) that existed from day one, they still persist in trying to spam my non-spammable blog, or to search it for comments they tried to POST (unsuccessfully). This clutters my non-published access logs, but gives me an ever increasing list of IP addresses/CIDRs to add to my blocklists.

Achernar

9:44 am on Apr 18, 2007 (gmt 0)

jdMorgan:
As far as I know (and I've verified with "phpinfo()"), {SERVER_PROTOCOL} is the protocol used by the server for this connection. It's HTTP/1.0 if the request has used HTTP/1.0.

jdMorgan

2:12 pm on Apr 18, 2007 (gmt 0)

...Unless the client is an early version of Netscape, MSIE, or various media players, in which case many hosting companies have the "downgrade HTTP/1.1 response to HTTP/1.0 for old clients" code pre-installed in httpd.conf. So checking the client request is still a more robust method.

Jim