# my apache server is being hijacked!

## slaterson

i noticed that my bandwidth was suffering a bit this morning so i decided to look at my apache logs.  turns out i am getting several requests per minute (probably 30-40) from a few different sites.  it looks like these sites are automated 'distributed search' sites, such as search.epilot.com.

i have tried using mod_access and some deny directives, but can't seem to block them from using my site.  how do i go about blocking a group of ip's from using my machine all together?  should i look into doing this via iptables or is there something i can do in the apache config?

thanks!

slate

----------

## srlinuxx

yeah, I'd just stick an iptables rule in my firewall script to try and block 'em.  you could try a robots.txt, but a lot don't heed it, so just cut em off at the pass.

----------

## slaterson

 *srlinuxx wrote:*   

> yeah, I'd just stick an iptables rule in my firewall script to try and block 'em.  you could try a robots.txt, but a lot don't heed it, so just cut em off at the pass.

 

hmmmm...  i put some new rules in iptables, but it's having no effect.

here's an example:

```
DROP       tcp  --  anywhere             221.226.124.122     tcp

DROP       udp  --  anywhere             221.226.124.122     udp
```

connections from that ip are still coming in left and right.

----------

## slaterson

 *slaterson wrote:*   

> 
> 
> here's an example:
> 
> ```
> ...

 

ok, dumb error on my part.  i put the source ip as destination.  changing the 'd' to an 's' does wonders, and fixed the problem.  it now looks like this and the suspect ips are now not showing up in my apache log.

```
DROP       tcp  --  221.226.124.122      anywhere            tcp

DROP       udp  --  221.226.124.122      anywhere            udp
```

slate

----------

## sgs

I'm pretty new to doing anything serious with apache.  I came on  this thread because I was concerned with those Search requests.  I've still got to find out more about them.....it seems that they represent a possible avenue of attack to some web servers at least. I don't like that block the ip solution because the hits are coming in from all over. I'd quite like to find out whether I really need to be dealing with that Search request at all. I don't have a lot of interest in search engines having an index on my site.....my customers are local.

It looks like at least in one case the Search string is an IIS attack.

----------

