Mailing List Archive

On Monday, 11 January 2021 23:05:55 GMT thelma@sys-concept.com wrote:
> I've one persistent user (Russian IP) that is populating my apache log
> files.
>
> I tried 00_mod_log_config.conf
>
> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog
> CustomLog /var/log/apache2/deflate_log deflate env=!dontlog
> CustomLog /var/log/apache2/access_log common env=!dontlog
>
> But I still see this IP in my access_log.

If it is the same IP address persistently attacking the server, I would be
tempted to block it, or the whole /24 subnet it belongs to, at the perimeter
firewall. Of course, persistent actors will hop off another IP address, so
there are diminishing returns in this game.

On 1/11/21 4:41 PM, Michael wrote:
> On Monday, 11 January 2021 23:05:55 GMT thelma@sys-concept.com wrote:
>> I've one persistent user (Russian IP) that is populating my apache log
>> files.
>>
>> I tried 00_mod_log_config.conf
>>
>> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog
>> CustomLog /var/log/apache2/deflate_log deflate env=!dontlog
>> CustomLog /var/log/apache2/access_log common env=!dontlog
>>
>> But I still see this IP in my access_log.
>
> If it is the same IP address persistently attacking the server, I would be
> tempted to block it, or the whole /24 subnet it belongs to, at the perimeter
> firewall. Of course, persistent actors will hop off another IP address, so
> there are diminishing returns in this game.

I did block this IP and it is working
Require not ip 45.93.201.0/24

I hardly resolve to blocking IP from log files, but if they try to ping/access your network 4 or 5 per second your log files will tend to grow.
SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog
didn't work.

Just today from about 7am to 4pm about 96K pings from this IP.

On 1/11/21 5:00 PM, thelma@sys-concept.com wrote:
> On 1/11/21 4:41 PM, Michael wrote:
>> On Monday, 11 January 2021 23:05:55 GMT thelma@sys-concept.com wrote:
>>> I've one persistent user (Russian IP) that is populating my apache log
>>> files.
>>>
>>> I tried 00_mod_log_config.conf
>>>
>>> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog
>>> CustomLog /var/log/apache2/deflate_log deflate env=!dontlog
>>> CustomLog /var/log/apache2/access_log common env=!dontlog
>>>
>>> But I still see this IP in my access_log.
>>
>> If it is the same IP address persistently attacking the server, I would be
>> tempted to block it, or the whole /24 subnet it belongs to, at the perimeter
>> firewall. Of course, persistent actors will hop off another IP address, so
>> there are diminishing returns in this game.
>
> I did block this IP and it is working
> Require not ip 45.93.201.0/24
>
> I hardly resolve to blocking IP from log files, but if they try to ping/access your network 4 or 5 per second your log files will tend to grow.
> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog
> didn't work.
>
> Just today from about 7am to 4pm about 96K pings from this IP.

I forgot to mention, my firewall doesn't have any capabilities to enter any configuration in IP tables.
Maybe I'll look for one that does.

--"Fascism begins the moment a ruling class, fearing the people may use their political democracy to gain economic democracy, begins to destroy political democracy in order to retain its power of exploitation and special privilege." Tommy Douglas




Jan 11, 2021, 17:09 by thelma@sys-concept.com:

> On 1/11/21 5:00 PM, thelma@sys-concept.com wrote:
>
>> On 1/11/21 4:41 PM, Michael wrote:
>>
>>> On Monday, 11 January 2021 23:05:55 GMT thelma@sys-concept.com wrote:
>>>
>>>> I've one persistent user (Russian IP) that is populating my apache log
>>>> files.
>>>>
>>>> I tried 00_mod_log_config.conf
>>>>
>>>> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog
>>>> CustomLog /var/log/apache2/deflate_log deflate env=!dontlog
>>>> CustomLog /var/log/apache2/access_log common env=!dontlog
>>>>
>>>> But I still see this IP in my access_log.
>>>>
>>>
>>> If it is the same IP address persistently attacking the server, I would be
>>> tempted to block it, or the whole /24 subnet it belongs to, at the perimeter
>>> firewall. Of course, persistent actors will hop off another IP address, so
>>> there are diminishing returns in this game.
>>>
>>
>> I did block this IP and it is working
>> Require not ip 45.93.201.0/24
>>
>> I hardly resolve to blocking IP from log files, but if they try to ping/access your network 4 or 5 per second your log files will tend to grow.
>> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog
>> didn't work.
>>
>> Just today from about 7am to 4pm about 96K pings from this IP.
>>
>
> I forgot to mention, my firewall doesn't have any capabilities to enter any configuration in IP tables.
> Maybe I'll look for one that does.
>
That would be the thing to do.  You want everything logged, so you know what is happening.  If you blocked the logging how would you know if they made progress.  You want to know when people are trying to break in, and you want to know when their tactics change.  Not logging it is like plugging your' ears and closing your' eyes while the battering ram is pounding your' door...

On 1/11/21 9:15 PM, mad.scientist.at.large@tutanota.com wrote:
>
>
> --"Fascism begins the moment a ruling class, fearing the people may use their political democracy to gain economic democracy, begins to destroy political democracy in order to retain its power of exploitation and special privilege." Tommy Douglas
>
>
[snip]

>> I forgot to mention, my firewall doesn't have any capabilities to enter any configuration in IP tables.
>> Maybe I'll look for one that does.
>>
> That would be the thing to do.  You want everything logged, so you know what is happening.  If you blocked the logging how would you know if they made progress.  You want to know when people are trying to break in, and you want to know when their tactics change.  Not logging it is like plugging your' ears and closing your' eyes while the battering ram is pounding your' door...
>

If I blocked the IP already, why would I want to log anything about that IP; they will will be denied access regardless.

On Tuesday, January 12, 2021 5:22:20 AM CET thelma@sys-concept.com wrote:
> On 1/11/21 9:15 PM, mad.scientist.at.large@tutanota.com wrote:
> > --"Fascism begins the moment a ruling class, fearing the people may use
> > their political democracy to gain economic democracy, begins to destroy
> > political democracy in order to retain its power of exploitation and
> > special privilege." Tommy Douglas
> [snip]
>
> >> I forgot to mention, my firewall doesn't have any capabilities to enter
> >> any configuration in IP tables. Maybe I'll look for one that does.
> >
> > That would be the thing to do. You want everything logged, so you know
> > what is happening. If you blocked the logging how would you know if they
> > made progress. You want to know when people are trying to break in, and
> > you want to know when their tactics change. Not logging it is like
> > plugging your' ears and closing your' eyes while the battering ram is
> > pounding your' door...
> If I blocked the IP already, why would I want to log anything about that IP;
> they will will be denied access regardless.

If you blocked the IP in the firewall, it shouldn't show in the log.

Add iptables to the webserver and block that IP.
Personally, I would block the whole range (45.93.201.0/24), which is either
linked to Cyprus or Russia (according to whois)

Any block in the apache-config might fail due to a bug or new configuration.

--
Joost

On 1/11/21 11:32 PM, J. Roeleveld wrote:
[snip]
> If you blocked the IP in the firewall, it shouldn't show in the log.
>
> Add iptables to the webserver and block that IP.
> Personally, I would block the whole range (45.93.201.0/24), which is either
> linked to Cyprus or Russia (according to whois)
>
> Any block in the apache-config might fail due to a bug or new configuration.
>
> --
> Joost

Asus routers don't have capabilities to block external IP's (I need to find a better router).
Blocking that IP range in apache works, all the IPs I blocked are getting 403 error (regardless what they type)
but you might be right, apache 2.4
SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog (does not work).

I wish they design blocking by country easier.

On 12 January 2021 18:11:34 CET, thelma@sys-concept.com wrote:
>On 1/11/21 11:32 PM, J. Roeleveld wrote:
>[snip]
>> If you blocked the IP in the firewall, it shouldn't show in the log.
>>
>> Add iptables to the webserver and block that IP.
>> Personally, I would block the whole range (45.93.201.0/24), which is
>either
>> linked to Cyprus or Russia (according to whois)
>>
>> Any block in the apache-config might fail due to a bug or new
>configuration.
>>
>> --
>> Joost
>
>Asus routers don't have capabilities to block external IP's (I need to
>find a better router).
>Blocking that IP range in apache works, all the IPs I blocked are
>getting 403 error (regardless what they type)
>but you might be right, apache 2.4
> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog (does not work).
>
>I wish they design blocking by country easier.

Asus routers do allow blocking IPs, but it might be less than ideal.

I would add a firewall to your webserver and block the full ranges using that. Any bug in apaches blocking WILL leave you open to a hack.

--
Joost
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

On 12/01/2021 17:11, thelma@sys-concept.com wrote:
> I wish they design blocking by country easier.

Unfortunately, IPv4 in particular, blocking by country is pretty much
impossible because - due to demand pressure - addresses are scattered
pretty much randomly.

Especially with class A or B addresses, they might belong to a
multi-national and be scattered all over the world, subnets might have
been sold off, the rich world has bought a lot of addresses from the
poor world, hacks might originate in country A but be carried out from a
hijacked system in country B. Etc etc.

All these protocols etc originated in a much kinder era, and aren't
designed to withstand abuse.

Cheers,
Wol