Hi all,
I've had my album up for about a year using a php.cgi version because of server restrictions and at noon today I came under attack from two IPs making such rapid request of the large php.cgi file that it didn't have time to execute before the next request of the file causing the server to get tied up. My server operator changed the name of the php.cgi file to save the server and put my album down. We restored it two hours later only to come under attack again requiring the file name to be changed again.
I didn't know any Unix and had Blake install this for me last year and it has been working fine until now.
My question is, can I change the file attributes to prevent direct access to the album files and make everyone come through the main page somehow. I don't know which folders or files to change to make this work. I'm not even sure if this will prevent the attacks.
I will make another donation for some help on this.
Bill
Posts: 8194
No, you can't do this with Gallery 1.x. Gallery 2 will have an image firewall. Why can't your host just block those IPs?
This won't really stop the attacks, at least not the kind you're talking about. Best way would be to block the IPs that are causing the trouble...
Posts: 7
My host doesn't provide this service for one site on a server and they said that most IPs are not static but will roll.
Are you telling me that their is no way to restrict access to the gallery...a door that they would have to go through for access to that php.cgi file. I'm dead. That means that these people can attack any gallery and shut it down by hammering its files.
I restored it after four hours but within 15 minutes one of the same IPs started hammering and then a new IP with last of the address being different joined in with the first.
I guess they win and I am shut down. This could destroy a business.
Posts: 7
In a google search on restricting access, I saw a .htaccess file used for blocking IP access:
You can use htaccess to block certain ip addresses from accessing your site. This might be one particular person who's giving you grief, or an ip range from a certain country you'd prefer not to access your site. You can use a full ip address, or only a partial ip. If you put in '203.156.187.269' this will block only users with that exact ip address. Keep in mind that users who run through a proxy server will have a different ip number each time they connect, so you might want to use, for example, '203.156.187'. This will block all users with the ip address of 203.156.187.000 - 203.156.187.999.
<Limit GET HEAD POST>
order allow,deny
deny from '203.156.187.269
allow from all
</LIMIT>
There is a .htacess file in the php-cgi folder that refers to the php.cgi file that is being hit. It has this text:
AddType application/cgi-php php Action application/cgi-php /cgi-bin/php.cgi
Could I put the filter text before the application text in this .htaccess file or should I create a separate .htaccess file and place it in my mainwebsite_html folder that contains the php-cgi folder?
Posts: 332
The .htcaccess file can be put in any directory from root to the image gallery itself.
If you are having troubles with this IP then the best place to put it is in the first "public" directory. The code you have is correct and can be apended into an exising .htaccess file.
You can also put up an ati-leech directive since your at it. This will prvent Hotlinking pictures off your site.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://domainname.com [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domainname.com [NC]
RewriteCond %{HTTP_REFERER} !^http://sub.domainname.com [NC]
RewriteRule [^/]+.(gif|jpg|GIF|JPG)$ [F]
You can add different extentions in the last line seperated by the | such as
RewriteRule [^/]+.(gif|jpg|mov|avi|htm*|php)$ [F]
You only need to have CAPITALIZED extensions if you have them in your files. You may also notice I put a wild card * after htm this will also protect the html files. Also note that you do not want a trailing / after your domain name make sure you leave this off.
:smile:
Jade
Posts: 7
Jade,
Thank you for the very useful information and I will do some testing as soon as I can contact my host.
What text would I put in a test filter to allow only my IP to access the gallery so I can get control and test my site for damage before I install the IP blocking filter.
It would be very useful to have some calm so I can do my work.
Bill
Posts: 332
Same as your above post only reverse it a bit.
<Limit GET HEAD POST>
order allow,deny
deny from all
allow from your IP
</LIMIT>
Posts: 487
You can also fiddle with the permissions of your php.cgi binary.
Try just allowing the execute permission bit, and removing the read/write ones.
They wouldn't be able to download it then, but I'm not sure if the webserver
will be able to use it either.
Posts: 8194
vallimar: I'm pretty sure that the read permission must be set in order for the web server to be able to execute the program (in addition to the execute)
I tested this on my Linux box...
(as root)
# chmod ugo=x /tmp/test (/tmp/test is just a simple bash shell script)
# ls -l /tmp/test
---x--x--x 1 root root 18 Apr 3 17:36 /tmp/test
(as regular user)
$ /tmp/test
/tmp/test: /tmp/test: Permission denied