Re: [PLUG] My domain's .htaccess file is giving me fits

Rich Kulawiec on 7 Dec 2017 15:26:27 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] My domain's .htaccess file is giving me fits

From: Rich Kulawiec <rsk@gsp.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] My domain's .htaccess file is giving me fits
Date: Thu, 7 Dec 2017 18:26:21 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mutt/1.5.23 (2014-03-12)

On Thu, Dec 07, 2017 at 08:23:51AM -0800, george@georgesbasement.com wrote:
> Ever since the Russians started their attacks, I have been keeping
> track of the IP addresses and servers that are making HEAD / HTTP
> requests. [snip]

The place to do this is in the perimeter router and/or in the firewall,
not at the web server.  Why?  (1) it's easier (2) it's more efficient
(3) it's more effective (4) it covers everything, not just HTTP/HTTPS.

To do this:

First, get the Spamhaus DROP (Don't Route Or Peer) list, along with
the EDROP list:

	http://www.spamhaus.org/drop/drop.txt
	http://www.spamhaus.org/drop/edrop.txt

They're small.  Take a look at them.

Second, get ipdeny.com's list of all network blocks by country:

	http://ipdeny.com/ipblocks/data/countries/all-zones.tar.gz

Unpack that and find ru.zone (for your particular use case).  Note
that the tarball contains one file per country with a list of the
allocations in CIDR format.  Note that this is updated periodically.
(As are the DROP/EDROP lists.  Also, they have a second column with
more information about their provenance.)

Third, configure your router/firewall to simply drop all incoming
traffic from the DROP list, the EDROP list, and everything in ru.zone
on the floor.  Not even a NACK.  Just drop it, and optionally log it.

Fourth, enjoy the silence.

Comments:

1. Everyone should be using the DROP and EDROP lists.  They're
extremely well-curated.

2. Moreover, everyone should be using them *bidirectionally*, because
there are no possible outcomes of sending traffic to those networks
that are good for you.

3. I block various countries from various services, and some from
all services.  Choose yours based on your operational requirements.
For example, if I was managing a web site for a bowling league
based in Reading, PA, I would block *everything* and then only
allow traffic from us.zone.  Yes, this means that someone in Peru
or Portugal or Pakistan couldn't see the web site.  It also means
that they couldn't attack it.  Probably a good tradeoff for a site
whose entire intended audience is almost certainly in the US.

4. Supplement all of this with individual blocks as the need arises.

5. Yes, all of this can be bypassed with proxies and VPNs and Tor
and botnets and and and.  It's not a panacea.  But it does take the
edge off, and that in turn makes the remaining problem more tractable.

---rsk

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] My domain's .htaccess file is giving me fits
  - From: Charlie Li <ml+PLUG@vishwin.info>

References:
- [PLUG] My domain's .htaccess file is giving me fits
  - From: george@georgesbasement.com

Prev by Date: Re: [PLUG] My domain's .htaccess file is giving me fits
Next by Date: Re: [PLUG] My domain's .htaccess file is giving me fits
Previous by thread: Re: [PLUG] My domain's .htaccess file is giving me fits
Next by thread: Re: [PLUG] My domain's .htaccess file is giving me fits
Index(es):
- Date
- Thread