Re: [Zope] blacklisting referers and/or specific hosts

2005-07-04 Thread Tim Hicks 
David Pratt wrote:
> Hi Tim.  I think what Jens has to say is the best solution. I have also
> made my own thing with zope as well since I don't always have control
> of the firewall.

Yes, this is the problem I have.  I'm hosted on zettai, so am a little
limited in the options available to me (I believe).  Zettai have said they
will have a solution in place within 2-3 months, but I'd really like to
sort something out in the meantime.

>  I worked out a simple ip and country-ip solution. I
> made a simple interface for adding ips to a black list or selecting
> countries to add to black list. The logic makes a final connection to
> my main site template so ips in black list or ip turning out to be from
> a black listed country get nothing but an empty page (including an
> empty page header) while those that I want to view my site will get
> rendered pages.  I use a county-ip database that gets updated once per
> week (about 50,000 records) representing ranges from all countries.

Blimey, 50,000 records sounds pretty heavy (for my purposes)!  As far as I
can tell, there are two or three IP addresses producing all of these pesky
requests.  Do you have code that you can share?

Tim
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] blacklisting referers and/or specific hosts

2005-07-03 Thread David Pratt 
Hi Tim.  I think what Jens has to say is the best solution. I have also 
made my own thing with zope as well since I don't always have control 
of the firewall.  I worked out a simple ip and country-ip solution. I 
made a simple interface for adding ips to a black list or selecting 
countries to add to black list. The logic makes a final connection to 
my main site template so ips in black list or ip turning out to be from 
a black listed country get nothing but an empty page (including an 
empty page header) while those that I want to view my site will get 
rendered pages.  I use a county-ip database that gets updated once per 
week (about 50,000 records) representing ranges from all countries.


I think is is becoming clearer that many of the threats on the Net come 
not only come from specific ips but specific countries as well.
To me, blacklisting and filtering those who see your site based on ip 
or ip ranges is just a little more risk management and less expense on 
bandwidth for those you don't want to invite in.  As Yens has pointed 
out, it would be best to stop this at the firewall if you can.  This 
may not be possible based on how you are serving your sites as in a 
hosted arrangement.  My feeling is that if someone is visiting (by 
looking at your site or sending a robot) it may deter some if they are 
seeing or collecting nothing. But it would do little for those sniffing 
for the server you are running and testing purely to see that your 
alive for some future exploit attempt.


Regards
David

On Sunday, July 3, 2005, at 04:05 PM, Tim Hicks wrote:


Hi,

I have a zope site up and running which has recently had a *lots* of 
hits

from a client (or clients) that show referers pointing at various
gambling, meds, and loan sites.  Requests only come in for the main 
page,

not for the associated images, css, etc that should go with it.

The consequence is that my server is working harder to service a client
that isn't interested in what it has to say, and my Z2.log is now far 
less

useful to me as all these bogus requests drown out most of the useful
information.

So, I'm wondering if there's a way to blacklist those clients that I 
don't

like based on host/ip and/or on referer.

If I hook into the traversal process in the same way as the virtual 
host

monster objects do, could I check the request against my blacklist and
then do a REQUEST.close()?  Would that still appear in my logs?  Does 
that

even make sense?  Is there a HTTP response code that I could return to
these clients that would stop them being interested in my server?

Any ideas much appreciated.

Tim
___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://mail.zope.org/mailman/listinfo/zope-announce
 http://mail.zope.org/mailman/listinfo/zope-dev )


___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] blacklisting referers and/or specific hosts

2005-07-03 Thread Jens Vagelpohl 


On 3 Jul 2005, at 20:05, Tim Hicks wrote:
So, I'm wondering if there's a way to blacklist those clients that  
I don't

like based on host/ip and/or on referer.


If there is a set of distinguishable IPs/hosts, then use a tool that  
was *made* for that purpose such as a firewalling/filtering tool  
(IPTables, IPChains, fw, etc) and not Zope.


jens

___
Zope maillist  -  Zope@zope.org
http://mail.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
http://mail.zope.org/mailman/listinfo/zope-announce

http://mail.zope.org/mailman/listinfo/zope-dev )