Monitoring and blacklist
Created: Last updated:
Wow, one week has already passed in this new year 2012. I've been very busy over the holidays and made quite a few minor updates. These updates are mostly tweaks under the hood and nothing really noticeable.
Let me highlight a few tweaks, though.
Probably the most updates went into monitoring. Once I added the plain-files to the monitoring I also decided to collect that data in a separate path. This made me think and lead to the decision to also collect the blacklisted traffic into a separate path.
This should make it more efficient to generate the lists for “real” traffic. All the traffic from search engines and alike still remain in the same path but I might take them out as well.
Speaking of blacklisted traffic. I also made some updates to the module handling blacklisted IP addresses.
It is now possible to return a “501 Not Implemented” error instead of a “410 Gone”. The new 501 errors also returns a single neutral page and not a "regular" error website page, i.e. there is no menu and links in the page.
Unfortunately I still have to update the list manually and with all the increased traffic and hack attacks I am afraid I have to automate this procedure rather sooner than later.
Inept if not stupid
As a side note: Looking through the logs I have really come to the conclusion that these spam hackers are inherently inept if not stupid. One might think that they write clever applications but almost all attempts are just ridiculous and it is hard to understand what they are after.
Sometimes the ineptitude is on the other side, I am afraid. One annoying and increasing traffic is the referrer or log spam. Thanks to people who know squat about web servers but still operate one I guess this works. Why else would they send this requests with the http_referer?
There are three ideas behind it. Idea one that open, as in public and accessible, log files link back to these referrers or idea two some extract this information from the log files and actually show, or shall we say brag about, publicly who is linking to them. Last but not least, idea three, that people checking their log files are curious who is referring to them.
Vanity is certainly something you will find with many bloggers and website owners which makes idea two and three work. An attempt to find some open log files and such referrer spam actually was successful. I searched for one website "+logs" and Google actually listed a handful of log files with such entries. Amazing, I could even see my request as the latest entry in their log file!
However, it beats why they think it will work on my website by sending a link continuously almost every day or, the same link a few times within seconds despite a 410 or 501 response. It just raises red flags! Some are blocked simply because of their repeated senseless traffic.