phpbb3 - nuisance visitor

Discussion in 'Server Operation' started by blinky, Dec 2, 2012.

  1. blinky

    blinky Member

    About three months ago I decided to set up a Ubuntu server complete with mail, web and ftp services. Not for any particular reason other than I just wanted to do it. I managed to get the everything up and running so have been looking at some add-ons, one of which is phpbb3.

    It's up and running and I beleived everything was fine until yesterday when suddently there was a flurry of activity on this otherwise quite system. Just total nonsense was posted in the single forum from a variety of users (all of whom registered). I nuked the whole lot, locked down the forums a bit more but now continually get access attempts as follows:

    Code:
    178.137.165.56 - - [01/Dec/2012:22:21:44 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/phpbb/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
    178.137.165.56 - - [01/Dec/2012:22:21:44 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/phpbb/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
    178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
    178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
    178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)"
    
    I've tried adding that IP address to the PHPBB "IP Ban" list. Tried adding it to an .htaccess file both in the root web directory and in the /usr/share/phpbb3/www directory... that didn't work either. I've even entered the IP address in the "advanced settings" of the router's "Inbound Filter" settings to deny access. Not even that worked.

    It's like the IP address being reported in the apache2/access.log file isn't accurate.

    I'm at a total loss......

    Help! Au secour!
     
  2. falko

    falko Super Moderator ISPConfig Developer

    What exactly did you add to your .htaccess files?
     
  3. blinky

    blinky Member

    I added the IP address of the offending site. (I also copied the .htaccess file from /var/www to /usr/share/phpbb3/www so both locations contain the same file. The .htaccess file is as follows:
    Code:
    #GLOBAL BAD BOT EXCLUSION
    SetEnvIfNoCase User-Agent "^Yandex*" bad_bot
    <Limit GET POST>
    Order Allow,Deny
    Allow from all
    Deny from env=bad_bot
    </Limit>
    #END GLOBAL BAD BOT EXCLUSION
    #
    #SPECIAL PROVISION TO BLOCK BAIBU-BOT
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} ^Baiduspider [NC]
    RewriteRule .* - [F]
    #END SPECIAL PROVISION TO BLOCKI BAIDU-BOT
    #
    #BLOCK SPECIFIC IP ADDRESSES
    Order deny,allow
    Deny from 5.9.63.172
    Deny from 37.140.141.15
    Deny from 61.155.106.210
    Deny from 65.55.24.87
    Deny from 65.55.24.215
    Deny from 65.55.24.244
    Deny from 65.55.52.87
    Deny from 66.249.74.221
    Deny from 66.249.75.67
    Deny from 78.158.11.226
    Deny from 87.244.132.228
    Deny from 91.121.169.209
    Deny from 91.205.189.15
    #Baidu Spider start
    Deny from 123.125.71.15
    Deny from 123.125.71.18
    Deny from 123.125.71.35
    Deny from 123.125.71.47
    Deny from 123.125.71.53
    Deny from 123.125.71.69
    #Baudi spider end
    Deny from 149.3.152.246
    Deny from 157.55.35.35
    Deny from 157.56.229.88
    Deny from 168.62.176.62
    Deny from 178.137.89.184
    Deny from 178.137.165.56
    Deny from 178.154.164.251
    Deny from 180.76.5.98
    Deny from 180.76.5.107
    Deny from 180.76.5.177
    Deny from 190.120.231.35
    Deny from 193.43.252.252
    Deny from 210.211.125.10
    Deny from 220.181.51.81
    #
    
    I believe this has worked thus far. What I'm at a real loss to explain is why the router's "inbound filter" and it's "DENY" option isn't working. It's like the requests are coming from a different IP address that what Apache is showing in the access.log file.
     

Share This Page