Re: [obsdfr-misc] Besoin de conseil pour attaques contre Apache

[Jérôme Desquilbet <jerome AT desquilbet POINT org>]

OK merci beaucoup je vais essayer ça. Et je me rends compte que cette 
question avait déjà été posée ici récemment, désolé pour le bruit...
  J.

Cédric THIBAULT a écrit :
> Sinon, pense à utiliser ton firewall Packet Filter qui peut par exemple
> réduire le nombre de connexions simultanées sur ton serveur WEB :
>
> http://www.openbsd.org/faq/pf/filter.html#stateopts
>
> L'exemple fourni dans la FAQ devrait t'aider...
>
> 2007/9/6, Jérôme Desquilbet <jerome AT desquilbet POINT org>:
> > Bonjour,
> > Tout d'abord, merci pour l'aide apportée concernant les serveurs proxy
> > Apache (ma question précédente d'il y a quelques temps).
> > J'ai un problème, qui doit être connu, mais j'apprends :-) Mon serveur
> > web rame, et c'est pas étonnant quand on voit ce qu'Apache subit en
> > permanence. Extrait ci-dessous de /var/www/logs/access_log.
> > Comment on fait pour éliminer ces machins (attaques?) ?
> > Merci par avance,
> >    Jérôme.
> >
> > 77.70.106.4 - - [05/Sep/2007:12:27:15 +0200] "POST
> > http://www.volgafitness.ru:80/forum/forum/quick_reply HTTP/1.0" 500 452
> > 77.70.106.4 - - [05/Sep/2007:12:27:16 +0200] "POST
> > http://www.truemajority.org:80/pigmobileblog/wp-comments-post.php
> > HTTP/1.0" 302 0
> > 85.141.204.52 - - [05/Sep/2007:12:27:16 +0200] "CONNECT
> > login.icq.com:443 HTTP/1.0" 200 -
> > 204.13.169.5 - - [05/Sep/2007:12:27:16 +0200] "POST
> > http://robpromotions.com/cgi-bin/wwwboard.pl HTTP/1.1" 500 547
> > 89.149.226.59 - - [05/Sep/2007:12:27:17 +0200] "GET
> >
> > http://www.cyberlink.com.np/consultancy/nepal/26/1732/software_consultancy.htm
> > HTTP/1.0" 200 2894
> > 204.13.169.4 - - [05/Sep/2007:12:27:17 +0200] "POST
> > http://maverickpublishing.com/cgi-bin/wwwboard.pl HTTP/1.1" 404 513
> > 89.149.226.32 - - [05/Sep/2007:12:27:17 +0200] "POST
> > http://www.asiapacific.com.my/bintang/ardguest.php HTTP/1.0" 200 201
> > 204.13.169.16 - - [05/Sep/2007:12:27:17 +0200] "POST
> > http://cyberboxingzone.com/cgi-cyberboxingzone/wwwboard.pl HTTP/1.1" 404
> > 133
> > 91.90.39.106 - - [05/Sep/2007:12:27:17 +0200] "CONNECT
> > 205.188.179.233:443 HTTP/1.0" 200 -
> > 84.22.28.117 - - [05/Sep/2007:12:27:17 +0200] "CONNECT login.icq.com:443
> > HTTP/1.0" 200 -
> > 72.232.127.226 - - [05/Sep/2007:12:27:17 +0200] "GET
> > http://www.tomorrows-hope.com/bbs/messages/348.html HTTP/1.1" 404 421
> > 80.32.170.121 - - [05/Sep/2007:12:27:18 +0200] "CONNECT
> > login.icq.com:443 HTTP/1.0" 200 -
> > 72.232.110.10 - - [05/Sep/2007:12:27:18 +0200] "GET
> > http://www.stern.nyu.edu/ei/bb/smatch/messages/2502.html HTTP/1.1" 403 352
> > 72.232.198.98 - - [05/Sep/2007:12:27:18 +0200] "POST
> > http://www.srz-access.com/asp/comment/admemo.asp HTTP/1.1" 302 159
> > 135.196.218.81 - - [05/Sep/2007:12:27:18 +0200] "GET
> > http://www.autoeurope.com/choosehome.cfm?homecountry= HTTP/1.1" 200 22660
> > 67.154.13.50 - - [05/Sep/2007:12:27:19 +0200] "CONNECT
> > 205.188.179.233:443 HTTP/1.0" 200 -
> > 204.15.73.171 - - [05/Sep/2007:12:27:19 +0200] "POST
> > http://www.maggiesgarden.com/cgi-bin/discus/board-post.cgi HTTP/1.1" 200
> > 6072
> > 77.70.106.4 - - [05/Sep/2007:12:27:19 +0200] "POST
> >
> > http://www.majster.si:80/index.php?option=com_joomlaboard&amp;Itemid=26&amp;func=post
> > HTTP/1.0" 200 10562
> > 222.141.201.109 - - [05/Sep/2007:12:27:19 +0200] "GET
> >
> > http://xml.nbcsearch.com/xml.php?Terms=dealer&strict=1&affiliate=GG125kk&IP=88.191.57.243
> > HTTP/1.0" 200 137
> > 123.8.230.217 - - [05/Sep/2007:12:27:19 +0200] "GET
> > http://www.vueling.com/skylights/js/SB/login.js HTTP/1.0" 200 1410
> > 72.232.185.146 - - [05/Sep/2007:12:27:19 +0200] "POST
> > http://fringsonair.de/cgi-bin/megabook/signgbook.cgi HTTP/1.1" 404 619
> > 123.217.57.155 - - [05/Sep/2007:12:27:19 +0200] "GET
> > http://www.mmaaxx.com/table/dx/affiliateNumber.txt HTTP/1.0" 404 1191
> > 72.36.194.202 - - [05/Sep/2007:12:27:19 +0200] "GET
> >
> > http://buzz.typo3.org/people/daniel/article/whats-so-special-about-t3board08/
> > HTTP/1.0" 200 15200
> > 77.70.106.4 - - [05/Sep/2007:12:27:19 +0200] "POST
> > http://myblog.es:80/butal/gb HTTP/1.0" 200 0
> > 77.70.106.4 - - [05/Sep/2007:12:27:20 +0200] "POST
> > http://sweb.gen.go.kr:80/~ks1780/bbs/write_ok.php HTTP/1.0" 200 8525
> > 216.32.68.242 - - [05/Sep/2007:12:27:20 +0200] "POST
> > http://www.lisamulvey.com/gallery/main.php HTTP/1.1" 200 987
> > 88.231.125.226 - - [05/Sep/2007:12:27:20 +0200] "GET
> > http://f13.member.ird.yahoo.com/config/isp_verify_user?&l=_1X2X3_&p=123456
> > HTTP/1.0" 999 4707
> > 65.94.166.201 - - [05/Sep/2007:12:27:20 +0200] "GET
> >
> > http://www.business.com/search/rslt_default.asp?query=discounted+cash+flow+formula
> > HTTP/1.0" 200 52659
> > 60.35.116.177 - - [05/Sep/2007:12:27:20 +0200] "GET
> > http://ranks1.apserver.net/share/in.php?u=gekiganr&id=sirotohh HTTP/1.0"
> > 302 0
> > 72.36.178.130 - - [05/Sep/2007:12:27:20 +0200] "POST
> > http://secondhand.holy.jp/rayboard/rayboard.cgi HTTP/1.1" 200 1825
> > 72.232.110.106 - - [05/Sep/2007:12:27:20 +0200] "POST
> > http://www.maggiesgarden.com/cgi-bin/discus/board-post.cgi HTTP/1.1" 200
> > 6042
> > 218.28.117.118 - - [05/Sep/2007:12:27:20 +0200] "GET
> > http://it-secure-x.de/cgi-bin/proxytest.pl HTTP/1.0" 301 321
> > 121.15.81.78 - - [05/Sep/2007:12:27:20 +0200] "GET
> >
> > http://www.burstnet.com/cgi-bin/ads/ad13918a.cgi/v=2.2S/sz=468x60A|728x90A/91951/NF/RETURN-CODE/JS/
> > HTTP/1.0" 200 244
> > 85.141.204.52 - - [05/Sep/2007:12:27:20 +0200] "CONNECT
> > login.icq.com:443 HTTP/1.0" 200 -
> > 222.89.224.162 - - [05/Sep/2007:12:27:20 +0200] "GET
> >
> > http://partner1.kanoodle.com/cgi-bin/partner.cgi?query=Espresso&numresults=10&id=85413804&format=xml5&searchip=88.191.57.243
> > HTTP/1.1" 200 326
> > 67.134.197.187 - - [05/Sep/2007:12:27:20 +0200] "GET
> >
> > http://ads.adbrite.com/adserver/display_iab_ads.php?sid=400193&title_color=0000FF&text_color=000000&background_color=FFFFFF&border_color=FFFFFF&zs=&width=468&height=60
> > HTTP/1.1" 200 4601
> > 72.232.234.146 - - [05/Sep/2007:12:27:20 +0200] "POST
> >
> > http://forum.guestbook.com.tw/b2/posting.php?mforum=kr&sid=50ccb507f5e4244a864c80ab0447af50
> > HTTP/1.1" 302 5
> > 77.70.106.4 - - [05/Sep/2007:12:27:20 +0200] "POST
> >
> > http://www.mobtex.net:80/bon-jovi/livin'-on-a-prayer/mobile-phone-karaoke-200676/comments
> > HTTP/1.0" 301 0
> > 66.148.176.50 - - [05/Sep/2007:12:27:20 +0200] "CONNECT
> > login.icq.com:443 HTTP/1.0" 200 -
> > 72.232.110.42 - - [05/Sep/2007:12:27:20 +0200] "POST
> > http://boards.louisianashowpig.com/cgi-bin/wwwboard.pl HTTP/1.1" 200 3664
> > 204.13.169.5 - - [05/Sep/2007:12:27:20 +0200] "POST
> > http://www-lat.compression.ru/cgi-bin/wwwboard.pl HTTP/1.1" 302 443
> > 75.37.103.134 - - [05/Sep/2007:12:27:20 +0200] "CONNECT
> > login.icq.com:443 HTTP/1.0" 200 -
> > 204.15.77.102 - - [05/Sep/2007:12:27:20 +0200] "POST
> > http://www.bizzerly.co.uk/cgi-bin/board/board.pl HTTP/1.1" 404 343
> > 80.32.170.121 - - [05/Sep/2007:12:27:21 +0200] "CONNECT
> > login.icq.com:443 HTTP/1.0" 200 -
> > 89.149.226.32 - - [05/Sep/2007:12:27:21 +0200] "GET
> >
> > http://www.armagh.gov.uk/searchzoom.php?zoom_query=Search&submit.x=0&submit.y=0&zoom_per_page=10&zoom_and=0&zoom_sort=0
> > HTTP/1.0" 200 3945
> > 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
> > http://www.lannaworld.com:80/cgi/lannaboard/add_reply.php?id=54736
> > HTTP/1.0" 200 24
> > 222.141.201.109 - - [05/Sep/2007:12:27:21 +0200] "GET
> > http://www.ebuysearch.com/prxjdg.cgi HTTP/1.0" 404 1308
> > 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
> > http://minihome.prayfar.net:80/index.php? HTTP/1.0" 302 0
> > 89.149.226.32 - - [05/Sep/2007:12:27:21 +0200] "POST
> > http://hockey.kulichki.com/comments1.php HTTP/1.0" 200 90
> > 219.238.133.130 - - [05/Sep/2007:12:27:21 +0200] "GET
> >
> > http://mccannafa7.allyes.com/main/adfclick?user=MccannAfa7|Microsoft_FY08Q1_LinuxCompete_TT|cio_fullcolumn&db=mccannafa7&log=on&ip=88.191.57.243&bid=2477&cid=94792&sid=2380&exp1=-820026635&exp2=7582022100&cache=787058&url=http://clk.atdmt.com/MCH/go/tchtacii0010000030mch/direct/01/&`
> > HTTP/1.1" 302 5
> > 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
> > http://www2u.biglobe.ne.jp:80/~miyosino/sbu2_bbs/sbu2_bbs_r.cgi
> > HTTP/1.0" 200 603
> > 222.141.201.109 - - [05/Sep/2007:12:27:21 +0200] "GET
> >
> > http://xml.nbcsearch.com/xml.php?Terms=Air+Travel&affiliate=stockm&IP=88.191.57.243
> > HTTP/1.0" 200 141
> > 204.9.190.27 - - [05/Sep/2007:12:27:21 +0200] "GET
> > http://www.manchester.com/interactive/singles/messages/5743.html
> > HTTP/1.1" 404 14772
> > 72.232.110.34 - - [05/Sep/2007:12:27:21 +0200] "POST
> > http://www.ssbtractor.com/wwwboard/farm_tractors.pl HTTP/1.1" 200 219
> > 77.70.106.4 - - [05/Sep/2007:12:27:21 +0200] "POST
> > http://t3.butenploener.de:80/forum/forum/forum.html HTTP/1.0" 200 1139
> > 85.141.204.52 - - [05/Sep/2007:12:27:21 +0200] "CONNECT
> > login.icq.com:443 HTTP/1.0" 200 -
> > 125.77.63.157 - - [05/Sep/2007:12:27:21 +0200] "GET
> >
> > http://ads.adbrite.com/adserver/display_iab_ads.php?sid=347731&title_color=0000FF&text_color=000000&background_color=FFFFFF&border_color=FFFFFF&zs=&width=300&height=250
> > HTTP/1.0" 200 725
> > 91.90.39.106 - - [05/Sep/2007:12:27:21 +0200] "CONNECT
> > 205.188.179.233:443 HTTP/1.0" 200 -
> >
> >
> > ________________________________
> > French OpenBSD mailing list
> > misc AT openbsd-france POINT org
> > http://www.openbsd-france.org/ml