迷惑なWebアクセスをブロックしよう

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次

==========================================
Part3 Web
==========================================





Web






Apache






Web


	(1) 
	(2) 
	(3) 

(1)
(
)(2)
(3)

(1)(3)()











(1)(2)
Web
Apache(httpd.conf)
 httpd.conf 
()


	()
	CustomLog logs/access_log common

	( "common" )
	LogFormat "%h %l %u %t \"%r\" %>s %b" common


(1)

	LogFormat "%h %l %u %t \"%r\" %>s %b
	 \"%{Referer}i\" \"%{User-Agent}i\"" combined



	CustomLog logs/access_log common
		
	CustomLog logs/access_log combined

httpd.conf apache
(1)

218.219.192.204 - - [08/Sep/2004:23:32:27 +0900] "GET /%7Eyuuji/ HTTP/1.1" 200 2529 "-" "Mozilla/5.0 (X11; U; NetBSD i386; en-US; rv:1.6) Gecko/20040306 Firefox/0.8"

""










Web /robots.txt 

robots.txt 

http://www.robotstxt.org/wc/robots.html
http://www.robotstxt.org/wc/exclusion.html
http://www.robotstxt.org/wc/norobots-rfc.html



	:	
	:	
	

+:1


	User-Agent:	*
	Allow:		/unixuser/
	Disallow	/
	


	* 
	* /unixuser/  /unixuser/ 
	  
	*  / 



User-Agent, Allow, Disallow 


User-Agent (
)
()

Allow  Disallow 
robotstxt.org 

	* 
          ()
	*  Allow


Google (Googlebot)
 
---[ ]------------------------------------------------------------
http://www.google.co.jp/webmasters/faq.html#robots 
----------------------------------------------------------------------

	User-Agent:	googlebot
	Disallow	/
	Allow:		/unixuser/
	



	/unixuser/index.html

 / 
 /unixuser/ 
 Allow 


robotstxt.org 

Web


robots.txt








ApacheApache


	tail -f access_log

Web




 Google Web

Web

 Apache URL(mod_rewrite)


mod_rewrite 

mod_rewrite URL

User-Agent


mod_rewrite 

mod_rewrite URL
http://httpd.apache.org/docs/mod/mod_rewrite.html
3


	*---------------------
	RewriteEngine  on|off
	*---------------------
	mod_rewrite 
	 off 
	on/off 
	   
	 RewriteEngine on  

---[ ]------------------------------------------------------------

----------------------------------------------------------------------

	*-----------------------------------------
	RewriteRule  
	
	RewriteRule   []
	*-----------------------------------------
	URL
	
	 Perl/Ruby 
	

	  *  ( ) N $N
	  * RewriteCond()
	     %N
	  *  %{}
	  *  
---[ ]------------------------------------------------------------
 mod_rewrite  Web 
----------------------------------------------------------------------

	 - ()
	

	3 [] 

%%%%	 
%%%%	((()))
	 [F] Access Forbidden

---[ ]------------------------------------------------------------
RewriteRule 3

	--------+-------------------------------------------------
	 	|	
	--------+-------------------------------------------------
	 R	| Redirect 
	 F	| Forbidden (HTTP403)
	 G	| Gone (HTTP410)
	 L	| Last (Rewrite)
	 N	| Next (Rewrite)
	 C	| 
	 T=type	| MIME type 
	 NS	| 
	 NC	| No Case ()
	 QSA	| Query String Append ()
	 NE	| No Escape (URL)
	 PT	| Pass Through () 
	 S=NUM	| NUM
     E=VAR:VAL	|  VAR  VAL 
	--------+-------------------------------------------------
----------------------------------------------------------------------

	 Forbidden 

	RewriteRule . - [F]

	
	RewriteCond 

	*--------------------------------------
	RewriteCond  
	
	RewriteCond   []
	*--------------------------------------
	 RewriteRule 
	  
	RewriteCond 
	(AND)OR
	OR
	 NC 
	(,)

User-Agent

User-Agent
User-Agent
HTTP_USER_AGENT User-Agent  FooSpider 
BarCrawler Forbidden 


	RewriteCond %{HTTP_USER_AGENT} foospider [NC,OR]
	RewriteCond %{HTTP_USER_AGENT} barcrawler [NC]
	RewriteRule . - [F]

HTTP

robots.txt, mod_rewrite 





---[ SEARCH]--------------------------------------
 Apace  access_log less

	"SEARCH




	"SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1.........."

IIS1



Apache414
Custom_Log 
 common 
414


	LogFormat "%h %l %u %t \"%r\" %>s %b" common 
	
	LogFormat "%h %l %u %t \"%!414r\" %>s %b" common 
----------------------------------------------------------------------






//OS
CGI

 

---[ ]------------------------------------------------------------


----------------------------------------------------------------------


Web
Windows
(1)

	61.97.128.70 - - [04/Sep/2004:18:11:24 +0900]
	"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 200 164 "-" 



HTTP



Windows
C:(cmd.exe)
Unix+ApacheApache
CGI






	
	
	
	
	IP



Apache

ApacheCGIhttpd.conf 

	AddHandler cgi-script .cgi



httpd
httpd
httpd.conf  User 

	User www

httpd=apache
httpd  www 





Apache Alias 
CGICGI
IP(
REMOTE_ADDR )
()



	1. 
	   (httpd
	    Content-type: plain/text )
	2.  REMOTE_ADDR 
	3. 



	*  /var/wwwblock ( $DIR ) 
	* IP $DIR/ipdir/ 
	   touch 
	  ()
	* (3) sudo  make 
	  (root)

---[ datadir]-------------------
IPIP


ASCIIdatadir 
datadir



A

-rw-r--r--  1 yuuji yuuji 0 Sep 10 06:57 10.3.4.5
-rw-r--r--  1 yuuji yuuji 0 Sep 10 07:34 10.9.8.7

2 10.3.4.5, 10.9.8.7 

ls
find -mtime, -mmin 



OSdatadir
IP
ASCIIdatadir

----------------------------------------------------------------------

(CGI)(block.cgi) 



	# mkdir -p /var/wwwblock/ipdir
	# cd /var/wwwblock
	# chown www ipdir
	# vi block.cgi
	  (  CGI)


---[  block.cgi]----------------------------------------------
#!/bin/sh
PATH=${PATH}:/usr/local/bin
# CGI Content-type 
echo 'Content-type: text/plain'
echo

# 
# 
# 
# 
echo "Your PC ($REMOTE_ADDR) should be infected by some virus."
echo 'We block your connection for one day.'
echo 'Please do virus-scan your PC and visit us on the day after tomorrow.'

cd /var/wwwblock
# sudo  PATH 
touch block
# callmake.sh make()
sudo /var/wwwblock/callmake.sh >> blocklog 2>&1
----------------------------------------------------------------------

make

IP X.Y.Z.W 
 

ipfw/ipfw2 ()
ipfw add  reset tcp from X.Y.Z.W to any

IPfilter ()
block return-rst in log quick on IF proto tcp from X.Y.Z.W to any

iptables ()
iptables -I INPUT  -s X.Y.Z.W -p tcp -i IF \
	-j REJECT --reject-with tcp-reset

---[ ]------------------------------------------------------------
 IF WebWANNIC

----------------------------------------------------------------------


(
) Makefile 

ipfw/ipfw2
  ================

  ipfw(ipfw2)
  /
  
  99
  
  

  ipfw100
  
  

	(1) 99
	(2) $DIR/ipdir/ 
	    (24)
	(3) $DIR/ipdir/ (IP)
	    99
	(4) (3)

  Makefile 

  ---[ /var/wwwblock/Makefile ]-----------------------------------------
  # Makefile for ipfw www-attack blocker 
  # This Makefile should be located in /var/wwwblock
  BLKDIR	= ipdir
  RULENUM	= 99
  # httpd HTTPDUSER 
  HTTPDUSER	= www

  all:	ipfw.deny call-ipfw

  ipfw.deny:	${BLKDIR}
	@find ${BLKDIR} \( -type f -a -mmin +1440 \) -exec rm '{}' ';'
	/bin/ls ${BLKDIR} \
	 | awk '{printf "ipfw a 99 reset tcp f %s t a\n", $$1}' \
	 > ipfw.deny
	chown ${HTTPDUSER} ipfw.deny

  call-ipfw:
	-@ipfw del ${RULENUM} > /dev/null 2>&1
	sh ./ipfw.deny
  ----------------------------------------------------------------------


IPfilter
  ===============

  ipfw
  IPfilterIPfilter
  
   Makefile (iptables
  )

  IPfilter
  /var/wwwblock/ipf.src 
   ipf.src ipf 
  

  ---[ /var/wwwblock/Makefile ]-----------------------------------------
  # Makefile for IPfilter www-attack blocker 
  # This Makefile should be located in /var/wwwblock
  BLKDIR	= ipdir
  # httpd HTTPDUSER 
  HTTPDUSER	= www

  all:	ipf.conf call-ipf

  ipf.conf:	ipf.src ${BLKDIR}
	@find ${BLKDIR} \( -type f -a -mmin +1440 \) -exec rm '{}' ';'
	(/bin/ls ${BLKDIR} \
	 | awk '{printf "block return-rst in log quick \
		proto tcp from %s to any\n", $$1}' ;\
	 cat ipf.src) > ipf.conf
	chown ${HTTPDUSER} ipf.conf

  call-ipf:
	ipf -Fa -f ipf.conf
  ----------------------------------------------------------------------


iptables
  ===============

  iptables
   /var/wwwblock/ 
   setiptable.sh 
  Makefile  

  ---[ /var/wwwblock/Makefile ]-----------------------------------------
  # Makefile for iptables www-attack blocker 
  # This Makefile should be located in /var/wwwblock
  BLKDIR	= ipdir
  # httpd HTTPDUSER 
  HTTPDUSER	= www

  all:	ipt.sh call-ipt

  ipt.sh:	${BLKDIR}
	@find ${BLKDIR} \( -type f -a -mmin +1440 \) -exec rm '{}' ';'
	/bin/ls ${BLKDIR} \
	 | awk '{printf "iptables -I INPUT 1 -s %s -p tcp \
		-j REJECT --reject-with tcp-reset\n", $$1}' \
	 > $@
	chown ${HTTPDUSER} $@

  call-ipt:
	./setiptable.sh
	sh ipt.sh
  ----------------------------------------------------------------------

---[ ]------------------------------------------------------------
iptablesINPUT

 Makefile 
wwwblock

----------------------------------------------------------------------


sudo

www /var/wwwblock  make 
root sudo visudo
sudoers 

	www	venus=(root) NOPASSWD: /var/wwwblock/callmake.sh

callmake.sh make


  ---[/var/wwwblock/callmake.sh]--------------------------------------
  #!/bin/sh
  cd /var/wwwblock || exit 1
  make
  --------------------------------------------------------------------

callmake.sh root

	# chown root callmake.sh
	# chmod og-xw callmake.sh
	# chmod +x callmake.sh

httpd.conf

block.cgi  httpd.conf 


/c/winnt/*  block.cgi 
httpd.conf Alias 

	
	 Options ExecCGI
	
	Alias /c/winnt "/var/wwwblock/block.cgi"

(?)Apache
Alias
Apache



AliasCGI


	% telnet web 80
		    ~~~~~~~~~~~~~~~~~~~
	GET /c/winnt/system32/cmd.exe?/c+dir
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	Your PC (*.*.*.*) should be infected by some virus.
	We block your connection for one day.
	Please do virus-scan your PC and visit us on the day after tomorrow.

	()
	% telnet web 80
		    ~~~~~~~~~~~~~~~~~~~
	telnet: connect to address *.*.*.*: Connection refused
	telnet: Unable to connect to remote host

2


	* /var/wwwblock/ipdir httpd
	* httpd callmake.sh 





httpdhttpd

 IMAP imap

tcpserver

	tcpserver -R IP   



	IP			  TCPREMOTEIP
	()	  TCPREMOTEHOST


HTTP



yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]