Under Attack

fiberman

Joined: 2003-03-22
Posts: 7

Posted: Sat, 2003-03-22 02:36

Hi all,

I've had my album up for about a year using a php.cgi version because of server restrictions and at noon today I came under attack from two IPs making such rapid request of the large php.cgi file that it didn't have time to execute before the next request of the file causing the server to get tied up. My server operator changed the name of the php.cgi file to save the server and put my album down. We restored it two hours later only to come under attack again requiring the file name to be changed again.
I didn't know any Unix and had Blake install this for me last year and it has been working fine until now.
My question is, can I change the file attributes to prevent direct access to the album files and make everyone come through the main page somehow. I don't know which folders or files to change to make this work. I'm not even sure if this will prevent the attacks.
I will make another donation for some help on this.

Bill

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Sat, 2003-03-22 04:03

No, you can't do this with Gallery 1.x. Gallery 2 will have an image firewall. Why can't your host just block those IPs?

This won't really stop the attacks, at least not the kind you're talking about. Best way would be to block the IPs that are causing the trouble...

fiberman

Joined: 2003-03-22
Posts: 7

Posted: Sat, 2003-03-22 06:19

My host doesn't provide this service for one site on a server and they said that most IPs are not static but will roll.
Are you telling me that their is no way to restrict access to the gallery...a door that they would have to go through for access to that php.cgi file. I'm dead. That means that these people can attack any gallery and shut it down by hammering its files.
I restored it after four hours but within 15 minutes one of the same IPs started hammering and then a new IP with last of the address being different joined in with the first.
I guess they win and I am shut down. This could destroy a business.

fiberman

Joined: 2003-03-22
Posts: 7

Posted: Sat, 2003-03-22 08:50

In a google search on restricting access, I saw a .htaccess file used for blocking IP access:

You can use htaccess to block certain ip addresses from accessing your site. This might be one particular person who's giving you grief, or an ip range from a certain country you'd prefer not to access your site. You can use a full ip address, or only a partial ip. If you put in '203.156.187.269' this will block only users with that exact ip address. Keep in mind that users who run through a proxy server will have a different ip number each time they connect, so you might want to use, for example, '203.156.187'. This will block all users with the ip address of 203.156.187.000 - 203.156.187.999.

<Limit GET HEAD POST>
order allow,deny
deny from '203.156.187.269
allow from all
</LIMIT>

There is a .htacess file in the php-cgi folder that refers to the php.cgi file that is being hit. It has this text:
AddType application/cgi-php php Action application/cgi-php /cgi-bin/php.cgi

Could I put the filter text before the application text in this .htaccess file or should I create a separate .htaccess file and place it in my mainwebsite_html folder that contains the php-cgi folder?

JadeDragon

Joined: 2003-02-15
Posts: 332

Posted: Sat, 2003-03-22 15:32

The .htcaccess file can be put in any directory from root to the image gallery itself.

If you are having troubles with this IP then the best place to put it is in the first "public" directory. The code you have is correct and can be apended into an exising .htaccess file.

You can also put up an ati-leech directive since your at it. This will prvent Hotlinking pictures off your site.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://domainname.com [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domainname.com [NC]
RewriteCond %{HTTP_REFERER} !^http://sub.domainname.com [NC]
RewriteRule [^/]+.(gif|jpg|GIF|JPG)$ [F]

You can add different extentions in the last line seperated by the | such as

RewriteRule [^/]+.(gif|jpg|mov|avi|htm*|php)$ [F]

You only need to have CAPITALIZED extensions if you have them in your files. You may also notice I put a wild card * after htm this will also protect the html files. Also note that you do not want a trailing / after your domain name make sure you leave this off.

:smile:
Jade

fiberman

Joined: 2003-03-22
Posts: 7

Posted: Sat, 2003-03-22 18:50

Jade,
Thank you for the very useful information and I will do some testing as soon as I can contact my host.

What text would I put in a test filter to allow only my IP to access the gallery so I can get control and test my site for damage before I install the IP blocking filter.
It would be very useful to have some calm so I can do my work.

Bill

JadeDragon

Joined: 2003-02-15
Posts: 332

Posted: Sat, 2003-03-22 19:26

Same as your above post only reverse it a bit.

<Limit GET HEAD POST>
order allow,deny
deny from all
allow from your IP
</LIMIT>

vallimar

Joined: 2002-08-15
Posts: 487

Posted: Thu, 2003-04-03 22:51

You can also fiddle with the permissions of your php.cgi binary.
Try just allowing the execute permission bit, and removing the read/write ones.
They wouldn't be able to download it then, but I'm not sure if the webserver
will be able to use it either.

alindeman

Joined: 2002-10-06
Posts: 8194

Posted: Thu, 2003-04-03 23:38

vallimar: I'm pretty sure that the read permission must be set in order for the web server to be able to execute the program (in addition to the execute)

I tested this on my Linux box...
(as root)
# chmod ugo=x /tmp/test (/tmp/test is just a simple bash shell script)
# ls -l /tmp/test
---x--x--x 1 root root 18 Apr 3 17:36 /tmp/test

(as regular user)
$ /tmp/test
/tmp/test: /tmp/test: Permission denied

fiberman Joined: 2003-03-22 Posts: 7	Posted: Sat, 2003-03-22 02:36
	Hi all, I've had my album up for about a year using a php.cgi version because of server restrictions and at noon today I came under attack from two IPs making such rapid request of the large php.cgi file that it didn't have time to execute before the next request of the file causing the server to get tied up. My server operator changed the name of the php.cgi file to save the server and put my album down. We restored it two hours later only to come under attack again requiring the file name to be changed again. I didn't know any Unix and had Blake install this for me last year and it has been working fine until now. My question is, can I change the file attributes to prevent direct access to the album files and make everyone come through the main page somehow. I don't know which folders or files to change to make this work. I'm not even sure if this will prevent the attacks. I will make another donation for some help on this. Bill
	XUser login Username: * Password: * Create new account Request new password
alindeman Joined: 2002-10-06 Posts: 8194	Posted: Sat, 2003-03-22 04:03
	No, you can't do this with Gallery 1.x. Gallery 2 will have an image firewall. Why can't your host just block those IPs? This won't really stop the attacks, at least not the kind you're talking about. Best way would be to block the IPs that are causing the trouble...

fiberman Joined: 2003-03-22 Posts: 7	Posted: Sat, 2003-03-22 06:19
	My host doesn't provide this service for one site on a server and they said that most IPs are not static but will roll. Are you telling me that their is no way to restrict access to the gallery...a door that they would have to go through for access to that php.cgi file. I'm dead. That means that these people can attack any gallery and shut it down by hammering its files. I restored it after four hours but within 15 minutes one of the same IPs started hammering and then a new IP with last of the address being different joined in with the first. I guess they win and I am shut down. This could destroy a business.

fiberman Joined: 2003-03-22 Posts: 7	Posted: Sat, 2003-03-22 08:50
	In a google search on restricting access, I saw a .htaccess file used for blocking IP access: You can use htaccess to block certain ip addresses from accessing your site. This might be one particular person who's giving you grief, or an ip range from a certain country you'd prefer not to access your site. You can use a full ip address, or only a partial ip. If you put in '203.156.187.269' this will block only users with that exact ip address. Keep in mind that users who run through a proxy server will have a different ip number each time they connect, so you might want to use, for example, '203.156.187'. This will block all users with the ip address of 203.156.187.000 - 203.156.187.999. <Limit GET HEAD POST> order allow,deny deny from '203.156.187.269 allow from all </LIMIT> There is a .htacess file in the php-cgi folder that refers to the php.cgi file that is being hit. It has this text: AddType application/cgi-php php Action application/cgi-php /cgi-bin/php.cgi Could I put the filter text before the application text in this .htaccess file or should I create a separate .htaccess file and place it in my mainwebsite_html folder that contains the php-cgi folder?

JadeDragon Joined: 2003-02-15 Posts: 332	Posted: Sat, 2003-03-22 15:32
	The .htcaccess file can be put in any directory from root to the image gallery itself. If you are having troubles with this IP then the best place to put it is in the first "public" directory. The code you have is correct and can be apended into an exising .htaccess file. You can also put up an ati-leech directive since your at it. This will prvent Hotlinking pictures off your site. RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://domainname.com [NC] RewriteCond %{HTTP_REFERER} !^http://www.domainname.com [NC] RewriteCond %{HTTP_REFERER} !^http://sub.domainname.com [NC] RewriteRule [^/]+.(gif\|jpg\|GIF\|JPG)$ [F] You can add different extentions in the last line seperated by the \| such as RewriteRule [^/]+.(gif\|jpg\|mov\|avi\|htm\|php)$ [F] You only need to have CAPITALIZED extensions if you have them in your files. You may also notice I put a wild card after htm this will also protect the html files. Also note that you do not want a trailing / after your domain name make sure you leave this off. :smile: Jade

fiberman Joined: 2003-03-22 Posts: 7	Posted: Sat, 2003-03-22 18:50
	Jade, Thank you for the very useful information and I will do some testing as soon as I can contact my host. What text would I put in a test filter to allow only my IP to access the gallery so I can get control and test my site for damage before I install the IP blocking filter. It would be very useful to have some calm so I can do my work. Bill

JadeDragon Joined: 2003-02-15 Posts: 332	Posted: Sat, 2003-03-22 19:26
	Same as your above post only reverse it a bit. <Limit GET HEAD POST> order allow,deny deny from all allow from your IP </LIMIT>

vallimar Joined: 2002-08-15 Posts: 487	Posted: Thu, 2003-04-03 22:51
	You can also fiddle with the permissions of your php.cgi binary. Try just allowing the execute permission bit, and removing the read/write ones. They wouldn't be able to download it then, but I'm not sure if the webserver will be able to use it either.

alindeman Joined: 2002-10-06 Posts: 8194	Posted: Thu, 2003-04-03 23:38
	vallimar: I'm pretty sure that the read permission must be set in order for the web server to be able to execute the program (in addition to the execute) I tested this on my Linux box... (as root) # chmod ugo=x /tmp/test (/tmp/test is just a simple bash shell script) # ls -l /tmp/test ---x--x--x 1 root root 18 Apr 3 17:36 /tmp/test (as regular user) $ /tmp/test /tmp/test: /tmp/test: Permission denied

XUser login