Re: [Dspace-tech] Blocking a malicious user
Hi Sue,
pg_hba.conf only controls who can communicate with Postgres, not who can
communicate with DSpace.
Normally it is only 'applications' (e.g. DSpace) that talk to Postgres,
not users.
A user talks to DSpace, who in turn talks to Postgres. Postgres has no
idea or interest in the IP address of the user who is using DSpace, only
that of the DSpace application.
Therefore adding malicious IP address into that config file will sadly
have no effect. You have to block users higher in the stack, either at
the application level (apache or tomcat directives), or at the network
level (firewall changes).
Thanks,
Stuart
_
Gwasanaethau Gwybodaeth Information Services
Prifysgol Aberystwyth Aberystwyth University
E-bost / E-mail: [EMAIL PROTECTED]
Ffon / Tel: (01970) 622860
_
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Thornton, Susan M. (LARC-B702)[NCI INFORMATION SYSTEMS]
Sent: 31 October 2007 17:51
To: Mika Stenberg; dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Blocking a malicious user
You can block ip addresses at the postgreSQL level in the pg_hba.conf
file. Here is a person I blocked by ip address who was sending all
kinds of GET requests to our DSpace server:
hostall all malicious.ip255.255.255.255
reject
Sue Walker-Thornton
NASA Langley Research Center
ConITS Contract
757-224-4074
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mika
Stenberg
Sent: Wednesday, October 31, 2007 6:00 AM
To: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Blocking a malicious user
We've had problems like that as well. Blocking specific IP's works only
for
a while since many bots and spammers seem to change their IP frequently.
We
didnt come up with a decent solution for this, but blocking an entire
country of origin for a period of time has been on my mind. Managing the
allowed requests / timeslot for a specific IP might also do the trick.
-Mika
If they're nasty enough, though, they'll drown your Apache or Tomcat
server in replying with 403s. I've had times that I needed to be
absolutely merciless and block at the firewall level, using iptables;
then they don't even get as far as userspace.
On Tue, 2007-10-30 at 14:01 -0500, Tim Donohue wrote:
George,
We had a similar problem to this one in the past (a year or so ago).
I
just flat out blocked the IP altogether (not even specific to
/bitstream/) via this Apache configuration:
Location /
Order Allow,Deny
Deny from {malicious ip}
Allow from all
/Location
This looks similar to your config though (except it blocks all
access
from that IP).
- Tim
George Kozak wrote:
Hi...
I am having a problem with an IP that keeps sending thousands of
GET
/bitstream/... requests for the same item.
I have placed the following in my Apache.conf file:
Directory /bitstream/
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from {malicious ip}
/Directory
I also placed the following in my server.xml in Tomcat:
Valve className=org.apache.catalina.valves.RemoteAddrValve
deny=xxx\.xxx\.xxx\.xx /
However, this person still seems to be getting through. My java
process is running from 50%-80% CPU usage. Does anyone have a
good
idea on how to shutout a malicious IP in DSpace?
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a
browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a
browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Blocking a malicious user
It has an effect if your Postgres instance isn't blocked at the
firewall, and people are actually trying to access it. Which they will,
unless you block them. As I said, probably much safer to block at the
firewall level--better protection from DOS as well.
On Thu, 2007-11-01 at 08:51 +, Stuart Lewis [sdl] wrote:
Hi Sue,
pg_hba.conf only controls who can communicate with Postgres, not who can
communicate with DSpace.
Normally it is only 'applications' (e.g. DSpace) that talk to Postgres,
not users.
A user talks to DSpace, who in turn talks to Postgres. Postgres has no
idea or interest in the IP address of the user who is using DSpace, only
that of the DSpace application.
Therefore adding malicious IP address into that config file will sadly
have no effect. You have to block users higher in the stack, either at
the application level (apache or tomcat directives), or at the network
level (firewall changes).
Thanks,
Stuart
_
Gwasanaethau Gwybodaeth Information Services
Prifysgol Aberystwyth Aberystwyth University
E-bost / E-mail: [EMAIL PROTECTED]
Ffon / Tel: (01970) 622860
_
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Thornton, Susan M. (LARC-B702)[NCI INFORMATION SYSTEMS]
Sent: 31 October 2007 17:51
To: Mika Stenberg; dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Blocking a malicious user
You can block ip addresses at the postgreSQL level in the pg_hba.conf
file. Here is a person I blocked by ip address who was sending all
kinds of GET requests to our DSpace server:
hostall all malicious.ip255.255.255.255
reject
Sue Walker-Thornton
NASA Langley Research Center
ConITS Contract
757-224-4074
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mika
Stenberg
Sent: Wednesday, October 31, 2007 6:00 AM
To: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Blocking a malicious user
We've had problems like that as well. Blocking specific IP's works only
for
a while since many bots and spammers seem to change their IP frequently.
We
didnt come up with a decent solution for this, but blocking an entire
country of origin for a period of time has been on my mind. Managing the
allowed requests / timeslot for a specific IP might also do the trick.
-Mika
If they're nasty enough, though, they'll drown your Apache or Tomcat
server in replying with 403s. I've had times that I needed to be
absolutely merciless and block at the firewall level, using iptables;
then they don't even get as far as userspace.
On Tue, 2007-10-30 at 14:01 -0500, Tim Donohue wrote:
George,
We had a similar problem to this one in the past (a year or so ago).
I
just flat out blocked the IP altogether (not even specific to
/bitstream/) via this Apache configuration:
Location /
Order Allow,Deny
Deny from {malicious ip}
Allow from all
/Location
This looks similar to your config though (except it blocks all
access
from that IP).
- Tim
George Kozak wrote:
Hi...
I am having a problem with an IP that keeps sending thousands of
GET
/bitstream/... requests for the same item.
I have placed the following in my Apache.conf file:
Directory /bitstream/
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from {malicious ip}
/Directory
I also placed the following in my server.xml in Tomcat:
Valve className=org.apache.catalina.valves.RemoteAddrValve
deny=xxx\.xxx\.xxx\.xx /
However, this person still seems to be getting through. My java
process is running from 50%-80% CPU usage. Does anyone have a
good
idea on how to shutout a malicious IP in DSpace?
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a
browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Blocking a malicious user
It's probably worth saying that if you run postgres and dspace on the
same server, you can completely block postgres at the firewall
(iptables) level.
On Wed, 2007-10-31 at 12:51 -0500, Thornton, Susan M. (LARC-B702)[NCI
INFORMATION SYSTEMS] wrote:
You can block ip addresses at the postgreSQL level in the pg_hba.conf
file. Here is a person I blocked by ip address who was sending all
kinds of GET requests to our DSpace server:
hostall all malicious.ip255.255.255.255
reject
Sue Walker-Thornton
NASA Langley Research Center
ConITS Contract
757-224-4074
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mika
Stenberg
Sent: Wednesday, October 31, 2007 6:00 AM
To: dspace-tech@lists.sourceforge.net
Subject: Re: [Dspace-tech] Blocking a malicious user
We've had problems like that as well. Blocking specific IP's works only
for
a while since many bots and spammers seem to change their IP frequently.
We
didnt come up with a decent solution for this, but blocking an entire
country of origin for a period of time has been on my mind. Managing the
allowed requests / timeslot for a specific IP might also do the trick.
-Mika
If they're nasty enough, though, they'll drown your Apache or Tomcat
server in replying with 403s. I've had times that I needed to be
absolutely merciless and block at the firewall level, using iptables;
then they don't even get as far as userspace.
On Tue, 2007-10-30 at 14:01 -0500, Tim Donohue wrote:
George,
We had a similar problem to this one in the past (a year or so ago).
I
just flat out blocked the IP altogether (not even specific to
/bitstream/) via this Apache configuration:
Location /
Order Allow,Deny
Deny from {malicious ip}
Allow from all
/Location
This looks similar to your config though (except it blocks all
access
from that IP).
- Tim
George Kozak wrote:
Hi...
I am having a problem with an IP that keeps sending thousands of
GET
/bitstream/... requests for the same item.
I have placed the following in my Apache.conf file:
Directory /bitstream/
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from {malicious ip}
/Directory
I also placed the following in my server.xml in Tomcat:
Valve className=org.apache.catalina.valves.RemoteAddrValve
deny=xxx\.xxx\.xxx\.xx /
However, this person still seems to be getting through. My java
process is running from 50%-80% CPU usage. Does anyone have a
good
idea on how to shutout a malicious IP in DSpace?
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a
browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a
browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https
[Dspace-tech] Blocking a malicious user
Hi...
I am having a problem with an IP that keeps sending thousands of GET
/bitstream/... requests for the same item.
I have placed the following in my Apache.conf file:
Directory /bitstream/
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from {malicious ip}
/Directory
I also placed the following in my server.xml in Tomcat:
Valve className=org.apache.catalina.valves.RemoteAddrValve
deny=xxx\.xxx\.xxx\.xx /
However, this person still seems to be getting through. My java
process is running from 50%-80% CPU usage. Does anyone have a good
idea on how to shutout a malicious IP in DSpace?
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Blocking a malicious user
On Tue, 2007-10-30 at 14:32 -0400, George Kozak wrote: However, this person still seems to be getting through. My java process is running from 50%-80% CPU usage. Does anyone have a good idea on how to shutout a malicious IP in DSpace? I believe your configuration changes should be sufficient to prevent access if you restarted/reloaded your daemons and did not have override restriction directives in place on higher level directories. On our Linux systems, we attempt to throttle such users with Apache's mod_cband. Mark Diggory has created a bot class that we regularly add crawlers that do not respect our robots.txt directives to. For truly malevolent clients, I drop the route to their machine, or network, on our production system preventing us from sending the packets back to them that are necessary to create any connections: bash# route add -host xxx.xxx.xxx.xxx reject bash# route add -net xxx.xxx.xxx.0 netmask 255.255.255.0 reject You'd need to add such routing changes to the appropriate boot scripts for your Linux distribution to make them persistent. - VAB - V. Alex Brennen [EMAIL PROTECTED] UNIX Systems Administrator MIT Librariesx3-9327 signature.asc Description: This is a digitally signed message part - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/___ DSpace-tech mailing list DSpace-tech@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Blocking a malicious user
George,
We had a similar problem to this one in the past (a year or so ago). I
just flat out blocked the IP altogether (not even specific to
/bitstream/) via this Apache configuration:
Location /
Order Allow,Deny
Deny from {malicious ip}
Allow from all
/Location
This looks similar to your config though (except it blocks all access
from that IP).
- Tim
George Kozak wrote:
Hi...
I am having a problem with an IP that keeps sending thousands of GET
/bitstream/... requests for the same item.
I have placed the following in my Apache.conf file:
Directory /bitstream/
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from {malicious ip}
/Directory
I also placed the following in my server.xml in Tomcat:
Valve className=org.apache.catalina.valves.RemoteAddrValve
deny=xxx\.xxx\.xxx\.xx /
However, this person still seems to be getting through. My java
process is running from 50%-80% CPU usage. Does anyone have a good
idea on how to shutout a malicious IP in DSpace?
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
--
Tim Donohue
Research Programmer, Illinois Digital Environment for
Access to Learning and Scholarship (IDEALS)
135 Grainger Engineering Library
University of Illinois at Urbana-Champaign
email: [EMAIL PROTECTED]
web: http://www.ideals.uiuc.edu
phone: (217) 333-4648
fax: (217) 244-7764
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Blocking a malicious user
Tim:
Thanks. I will give that a try. I thought that I had this nailed,
but I just shot up to 80% CPU usage again.
At 03:01 PM 10/30/2007, Tim Donohue wrote:
George,
We had a similar problem to this one in the past (a year or so
ago). I just flat out blocked the IP altogether (not even specific
to /bitstream/) via this Apache configuration:
Location /
Order Allow,Deny
Deny from {malicious ip}
Allow from all
/Location
This looks similar to your config though (except it blocks all
access from that IP).
- Tim
George Kozak wrote:
Hi...
I am having a problem with an IP that keeps sending thousands of
GET /bitstream/... requests for the same item.
I have placed the following in my Apache.conf file:
Directory /bitstream/
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from {malicious ip}
/Directory
I also placed the following in my server.xml in Tomcat:
Valve className=org.apache.catalina.valves.RemoteAddrValve
deny=xxx\.xxx\.xxx\.xx /
However, this person still seems to be getting through. My java
process is running from 50%-80% CPU usage. Does anyone have a good
idea on how to shutout a malicious IP in DSpace?
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
--
Tim Donohue
Research Programmer, Illinois Digital Environment for
Access to Learning and Scholarship (IDEALS)
135 Grainger Engineering Library
University of Illinois at Urbana-Champaign
email: [EMAIL PROTECTED]
web: http://www.ideals.uiuc.edu
phone: (217) 333-4648
fax: (217) 244-7764
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
Re: [Dspace-tech] Blocking a malicious user
Thanks, Corey...
I discussed the firewall with our IT people, but for now, it looks
like (keeping my fingers crossed) that the last change that I made
(that was suggested by Tim) seems to be working. However, if I get
clobbered again, I will probably go with the firewall block.
At 03:14 PM 10/30/2007, Cory Snavely wrote:
If they're nasty enough, though, they'll drown your Apache or Tomcat
server in replying with 403s. I've had times that I needed to be
absolutely merciless and block at the firewall level, using iptables;
then they don't even get as far as userspace.
On Tue, 2007-10-30 at 14:01 -0500, Tim Donohue wrote:
George,
We had a similar problem to this one in the past (a year or so ago). I
just flat out blocked the IP altogether (not even specific to
/bitstream/) via this Apache configuration:
Location /
Order Allow,Deny
Deny from {malicious ip}
Allow from all
/Location
This looks similar to your config though (except it blocks all access
from that IP).
- Tim
George Kozak wrote:
Hi...
I am having a problem with an IP that keeps sending thousands of GET
/bitstream/... requests for the same item.
I have placed the following in my Apache.conf file:
Directory /bitstream/
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
deny from {malicious ip}
/Directory
I also placed the following in my server.xml in Tomcat:
Valve className=org.apache.catalina.valves.RemoteAddrValve
deny=xxx\.xxx\.xxx\.xx /
However, this person still seems to be getting through. My java
process is running from 50%-80% CPU usage. Does anyone have a good
idea on how to shutout a malicious IP in DSpace?
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
***
George Kozak
Coordinator
Web Development and Management
Digital Media Group
501 Olin Library
Cornell University
607-255-8924
***
[EMAIL PROTECTED]
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now http://get.splunk.com/
___
DSpace-tech mailing list
DSpace-tech@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dspace-tech
