<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 10pt Arial; MARGIN-LEFT: 2px">
<DIV>What I'm asking, is there a way to detect HTTP traffic and only allow
traffic through that is accessing the virtual web sites on the webserver.
Two weeks ago I found out that spamming was done using HTTP traffic to disguise
it's real intent and Matt discovered and fixed it. Also what I'm
asking is since it's possible to have a filtering list attached to a mail server
(e.g check if the address is a know spam address) to validate that
the sender is a known spammer, is there a similar filtering mechanism for HTTP,
DNS and ICMP traffic. Yes I know that some of the http, dns and ICMP
traffic is legit, I want to filter out the illegitimate traffic. Surely
it's possible to do a similar filtering system. Since the traffic that is
being disguise as </DIV>
<DIV>Is this better handled by number of packets/sec in a firewall rule?</DIV>
<DIV>IDS system only detects they do not act on this detection unless someone
knows of one that does. If so, I would be interested in such a package.</DIV>
<DIV> </DIV>
<DIV>As for the hoax mail since the mail is coming through SMTP, it be further
checked. Since all SMTP connection are allowed I guess the only
available method is blocking attachments, and content filtering. But this
has it's drawbacks as some of the mail may be valid. Either way the
spammer gets his traffic to and through to a certain point. This of course
causes traffic to slow down due to the volume.</DIV>
<DIV>see JLM> for comments</DIV>
<DIV> </DIV>
<DIV>Jon L. Miller, MCNE, CNS<BR>Director/Sr Systems Consultant<BR>MMT Networks
Pty Ltd<BR><A
href="http://www.mmtnetworks.com.au">http://www.mmtnetworks.com.au</A></DIV>
<DIV> </DIV>
<DIV>"I don't know the key to success, but the key to failure<BR> is trying
to please everybody." -Bill Cosby</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR>>>> devenish@guild.uwa.edu.au 10:33:41 AM 20/09/2003
>>><BR>In message <sf6c28e2.069@mmtnetworks.com.au><BR>on Sat,
Sep 20, 2003 at 10:15:55AM +0800, Jon Miller wrote:<BR>> while viewing
the logs (/var/log/httpd/access.log) and seeing a lot MS<BR>> hoax e-mails
being deleted by MailMonitor I'm wondering is it possible<BR>> to block
certain sites from accessing the web server.<BR><BR>I'm confused: you are
receiving lots of hoax e-mails. Okay. What on<BR>earth does this have to do with
your web server?<BR><BR>> Unlike mail servers where one can setup
blacklist/blackholes/rbl list<BR>> is there such a service for web
servers?<BR><BR>Absolutely. There are many ways of doing this. For
example:<BR><BR>- packet and connection filters (e.g. ipchains,
tcpwrappers)<BR>- web server configuration (consult documentation for your web
server)<BR><BR>Apache has directives such as Allow and Deny. It is possible to
make it<BR>much more sophisticated than that, though.<BR>JLM> You stated
absolutely to the web server question using ipchains, etc, but wouldn't this
have to be constantly updated with new IP addresses as they become
available?<BR><BR>> I've noticed the following:<BR>> <BR>>
/var/log/httpd/error.log<BR>> [Sat Sep 20 10:01:12 2003] [error] [client
61.139.60.84] File does not exist: /var/www/html/tmpad/banner/itrack.asp<BR>>
[Sat Sep 20 10:01:13 2003] [error] [client 61.139.60.84] File does not exist:
/var/www/html/a.htm<BR>> [Sat Sep 20 10:01:22 2003] [error] [client
210.83.18.98] File does not exist: /var/www/html/search.php<BR>> [Sat Sep 20
10:01:35 2003] [error] [client 61.139.60.84] File does not exist:
/var/www/html/Affiliate/SB/search1.js<BR><BR>So what? Does this bother you in
some way? Could you elaborate?<BR>JLM> Yes as this just is a small amount, in
the log files this goes on for hours on end, thus limiting our services. We use
a <A href="mailto:2M/@M">2M/@M</A> connection and at times it feels like a a
56kb connection. The logs are flooded with these errors.</DIV>
<DIV><BR>> /var/log/httpd/access.log<BR>> 221.pool0.dsltokyo.att.ne.jp - -
[20/Sep/2003:10:08:26 +0800] "GET / HTTP/1.1" 200 9515<BR>>
public2-runc2-5-cust118.manc.broadband.ntl.com - - [20/Sep/2003:10:08:26 +0800]
"GET / HTTP/1.1" 200 9515<BR>[...]<BR>> These may or may not be legit
entries, is there a way to tell other than bringing those site up.<BR><BR>Huh?
What do you mean "legit entires"? They are log entries of pages<BR>served by
your web server, correct? So...they are simply a record of<BR>what was
happening. From the information that you've presented so far,<BR>it looks like
two remote users accessed a home page that is served by<BR>your web server. What
is the problem with that? Many websites have<BR>hundred of thousands or millions
of accesses to their home pages every<BR>day. The two remote hosts are probably
user machines...what do you mean<BR>"bringing those sites up"?<BR><BR>JLM>
Yes, these may be legitimate entries meaning they are looking at the clients web
pages, no problem here, but the client tracks the number of hits to their site,
these we know will count, but does the one such as these below count also?</DIV>
<DIV>61.139.60.84 - - [20/Sep/2003:11:43:26 +0800] "GET <A
href="http://www.uccinema.com/a.htm">http://www.uccinema.com/a.htm</A> HTTP/1.0"
404 199<BR>220.113.15.29 - - [20/Sep/2003:11:43:33 +0800] "GET <A
href="http://a.as-eu.falkag.net/dat/dlv/aslmain.js">http://a.as-eu.falkag.net/dat/dlv/aslmain.js</A>
HTTP/1.1" 404 224<BR>61.139.60.84 - - [20/Sep/2003:11:43:35 +0800] "GET <A
href="http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=2873">http://ad.trafficmp.com/tmpad/banner/itrack.asp?rv=1.2&id=2873</A>
HTTP/1.0" 404 217<BR></DIV>
<DIV>Since they are 404 codes I know they are not completing their GET command
because the pages or files do not exists, but the traffic they consume is
immense.</DIV>
<DIV> </DIV>
<DIV>So what I'm trying to understand is there must be a way to get our
bandwidth back and eliminate this type of traffic from consuming the bandwidth
or am I batting my head up against a hard wall?</DIV>
<DIV> </DIV>
<DIV>Thanks<BR>_______________________________________________<BR>plug mailing
list<BR>plug@plug.linux.org.au<BR><A
href="http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug">http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug</A><BR><BR></DIV></BODY></HTML>