Apache ignoring deny directive ?
am 05.01.2008 09:47:46 von Unknown
My httpd.conf file has a deny rule to exclude top level domains I don't
wish to talk to. The "test" rule is the IP for my subnet, when I
uncomment it I get a 403 from the server as I would expect.
Host name lookups are on.
The strange thing is looking at the logs this seems to almost work. I get
entries like this one
[04/Jan/2008:13:37:15 +0000] proxy.asianet.co.th www.website "GET
/code.cgi HTTP/1.1" 200 4296
I started with a .th deny rule, that didnt work - so I added a .co.th deny
rule in case apache has a wierd definition of a top level domain?
Is this a bug or am I doing this wrong ?
I would have preferred to do this with tcpwrappers, but for strange reason
apache doesn't seem to have an option to play nice with it ?
***** httpd.conf partial
Options +ExecCGI -Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
# Test deny = me
#Deny from MySubnet/255.255.255.0
Deny from .ee
Deny from .ar
Deny from .co
Deny from .ru
Deny from .ch
Deny from .kp
Deny from .kr
Deny from .ni
Deny from .pl
Deny from .pk
Deny from .ro
Deny from .cl
Deny from .cz
Deny from .cn
Deny from .si
Deny from .sk
Deny from .ps
Deny from .tr
Deny from .uz
Deny from .uz
Deny from .yu
Deny from .zw
Deny from .zm
Deny from .jp
Deny from .tw
Deny from .nl
Deny from .es
Deny from .py
Deny from .my
Deny from .mx
Deny from .vn
Deny from .th
Deny from .br
Deny from .net.br
Deny from .telstra.net
Deny from .co.th
Deny from .net.mx
Re: Apache ignoring deny directive ?
am 06.01.2008 16:30:44 von Unknown
On Sat, 05 Jan 2008 10:39:01 +0100, Davide Bianchi wrote:
> On 2008-01-05, Unknown wrote:
>> Host name lookups are on.
>
> The problem is that host name lookups are subjected to dns poisoning and
> other dns related problems, so if the IP of the requesting host isn't
> found in the 'domain' you defined, isn't stopped EVEN if the hostname
> resolve to such name. You'd better use a firewall rule and block the IP
> range at TCP level (is even faster).
>
>
Thanks for taking the time to reply.
I understand the idea of DNS poisoning, but I fail to understand what the
server is doing with my rules in order to fail to block the top level
domain.
Im a bit surprised that the server doesn't parse the hostname
against the Deny rule string ? If its gone the effort of doing a reverse
lookup to get the hostname, why doesn't the server simply string compare
it to the deny rule ? The "Deny from .domain" rule cant be being
converted to a scope by the server as the zone may contain many and varied
subnets ....
I simply don't understand what the server is doing in order to fail
to block the domains in this way. If the reverse lookup of an IP is
X.Y.Z.Barred domain, even if that DNS entry is forged or doesn't forward
and reverse map it should still give a 403 ??
PS Anyone know what response code 40 is, I cant find it in the apache
documentation - but it is in the log a couple of times !
Thanks, Jon
Re: Apache ignoring deny directive ?
am 06.01.2008 19:49:33 von HansH
"Unknown" schreef in bericht
news:pan.2008.01.05.08.47.45.810931@way.co.uk...
> My httpd.conf file has a deny rule to exclude top level domains I don't
> wish to talk to. The "test" rule is the IP for my subnet, when I
> uncomment it I get a 403 from the server as I would expect.
>
> Host name lookups are on.
>
> The strange thing is looking at the logs this seems to almost work. I get
> entries like this one
> [04/Jan/2008:13:37:15 +0000] proxy.asianet.co.th www.website "GET
> /code.cgi HTTP/1.1" 200 4296
>
The multiple white space before and after proxy.asianet.co.th wonders me ...
.... trailing whites might break the match 'deny from' should have made.
Please add single quotes to this field in your custum log format and repost
a line.
If indeed trailing whites are fooling the deny, file a bug report.
Whilst a rewrite may help you out (I'm too lazy to process all tlds you
listed)
rewriteengine on
rewritecond %{REMOTE_HOST} \.(vn|th|br) *$
rewriterule . - [F]
HansH