Apache VirtualHost Blockhole (Eats All Requests on All Ports on an IP)
Posted
by Synetech inc.
on Server Fault
See other posts from Server Fault
or by Synetech inc.
Published on 2010-05-08T18:56:41Z
Indexed on
2010/05/08
19:00 UTC
Read the original article
Hit count: 230
I’m exhausted. I just spent the last two hours chasing a goose that I have been after on-and-off for the past year. Here is the goal, put as succinctly as possible.
Step 1: HOSTS File:
127.0.0.5 NastyAdServer.com
127.0.0.5 xssServer.com
127.0.0.5 SQLInjector.com
127.0.0.5 PornAds.com
127.0.0.5 OtherBadSites.com
…
Step 2: Apache httpd.conf
<VirtualHost 127.0.0.5:80>
ServerName adkiller
DocumentRoot adkiller
RewriteEngine On
RewriteRule (\.(gif|jpg|png|jpeg)$) /p.png [L]
RewriteRule (.*) /ad.htm [L]
</VirtualHost>
So basically what happens is that the HOSTS file redirects designated domains to the localhost, but to a specific loopback IP address. Apache listens for any requests on this address and serves either a transparent pixel graphic, or else an empty HTML file. Thus, any page or graphic on any of the bad sites is replaced with nothing (in other words an ad/malware/porn/etc. blocker).
This works great as is (and has been for me for years now). The problem is that these bad things are no longer limited to just HTTP traffic. For example:
<script src="http://NastyAdServer.com:99">
or
<iframe src="https://PornAds.com/ad.html">
or a Trojan using
ftp://spammaster.com/[email protected];[email protected];[email protected]
or an app “phoning home” with private info in a crafted ICMP packet by pinging
CardStealer.ru:99
Handling HTTPS is a relatively minor bump. I can create a separate VirtualHost just like the one above, replacing port 80 with 443, and adding in SSL directives. This leaves the other ports to be dealt with.
I tried using * for the port, but then I get overlap errors. I tried redirecting all request to the HTTPS server and visa-versa but neither worked; either the SSL requests wouldn’t redirect correctly or else the HTTP requests gave the You’re speaking plain HTTP to an SSL-enabled server port… error. Further, I cannot figure out a way to test if other ports are being successfully redirected (I could try using a browser, but what about FTP, ICMP, etc.?)
I realize that I could just use a port-blocker (eg ProtoWall, PeerBlock, etc.), but there’s two issues with that. First, I am blocking domains with this method, not IP addresses, so to use a port-blocker, I would have to get each and every domain’s IP, and update theme frequently. Second, using this method, I can have Apache keep logs of all the ad/malware/spam/etc. requests for future analysis (my current AdKiller logs are already 466MB right now).
I appreciate any help in successfully setting up an Apache VirtualHost blackhole. Thanks.
© Server Fault or respective owner
