[CentOS] (c 5.6) Running 2 versions of Apache ?

Always Learning centos at u61.u22.net
Mon Aug 29 19:25:14 UTC 2011 

On Mon, 2011-08-29 at 13:35 -0500, Les Mikesell wrote:

> For light use you could drop in VMware server or player or virtualbox
> without much effect on the current system.  It shouldn't be necessary,
> though, unless you'd like to install otherwise conflicting rpm
> packages or give root access to someone on the virtual server only.

I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1.

> So why can't you do that for your new virtualhost instead of running
> on a different IP?

A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web
site. Its started about 5 August but significantly escalated on 22
August. 

My Apache routine can add the IPs to iptables and block them. Since 22
August the lunatic has used over 100 different IPs from around the world
to send those wrong URLs which always seem to include one of these:-

	forgotten_password.php

	login.php

	contact.php

Assigning a spare IP address to this small web site should make it
easier for me to experiment with IP tables and examine TCP packets
without disturbing the server's normal workings. For example no valid
HTTP request sent to that IP address should contain 'pas' or 'log' or
'con' so if I detect these the packets can be dropped - that is the
theory. With dropped packets I lose the ability to easily record IP
address and host name. However my web page has over 100 entries of
machines compromised in the current abuse, so loosing new details is
worth the satisfaction of blocking the loony.

> If you are just firewalling there, apache can permit/deny ip ranges on
> its own for a location or virtualhost.

I don't know which IP address to block until at least one 'hit'. For low
level abuse, I use a routine to add 'Deny from' to the site's .htaccess
file. An IP blocked with this method can still access HTTPD where it
will receive a 403 rejection. Thus successful blocks still involve the
web server.

By filtering in IP tables by IP and then port, I can try to identity
those keywords: con, pas, log and, if successful, drop the packets.
Packet length, used by this lunatic, with a very few exceptions, is 60
bytes, so I could potentially identify the required 3-byte fragments. 

It is amazing so many machines can be broken-into or misused by one
deranged lunatic. I wonder if those machines run on Windoze.

Paul.

More information about the CentOS mailing list