Apache VirtualHost Blockhole (Eats All Requests on All Ports on an IP)
- by Synetech inc.
I’m exhausted. I just spent the last two hours chasing a goose that I have been after on-and-off for the past year. Here is the goal, put as succinctly as possible.
Step 1: HOSTS File:
127.0.0.5 NastyAdServer.com
127.0.0.5 xssServer.com
127.0.0.5 SQLInjector.com
127.0.0.5 PornAds.com
127.0.0.5 OtherBadSites.com
…
Step 2: Apache httpd.conf
<VirtualHost 127.0.0.5:80>
ServerName adkiller
DocumentRoot adkiller
RewriteEngine On
RewriteRule (\.(gif|jpg|png|jpeg)$) /p.png [L]
RewriteRule (.*) /ad.htm [L]
</VirtualHost>
So basically what happens is that the HOSTS file redirects designated domains to the localhost, but to a specific loopback IP address. Apache listens for any requests on this address and serves either a transparent pixel graphic, or else an empty HTML file. Thus, any page or graphic on any of the bad sites is replaced with nothing (in other words an ad/malware/porn/etc. blocker).
This works great as is (and has been for me for years now). The problem is that these bad things are no longer limited to just HTTP traffic. For example:
<script src="http://NastyAdServer.com:99">
or
<iframe src="https://PornAds.com/ad.html">
or a Trojan using
ftp://spammaster.com/[email protected];[email protected];[email protected]
or an app “phoning home” with private info in a crafted ICMP packet by pinging
CardStealer.ru:99
Handling HTTPS is a relatively minor bump. I can create a separate VirtualHost just like the one above, replacing port 80 with 443, and adding in SSL directives. This leaves the other ports to be dealt with.
I tried using * for the port, but then I get overlap errors. I tried redirecting all request to the HTTPS server and visa-versa but neither worked; either the SSL requests wouldn’t redirect correctly or else the HTTP requests gave the You’re speaking plain HTTP to an SSL-enabled server port… error. Further, I cannot figure out a way to test if other ports are being successfully redirected (I could try using a browser, but what about FTP, ICMP, etc.?)
I realize that I could just use a port-blocker (eg ProtoWall, PeerBlock, etc.), but there’s two issues with that. First, I am blocking domains with this method, not IP addresses, so to use a port-blocker, I would have to get each and every domain’s IP, and update theme frequently. Second, using this method, I can have Apache keep logs of all the ad/malware/spam/etc. requests for future analysis (my current AdKiller logs are already 466MB right now).
I appreciate any help in successfully setting up an Apache VirtualHost blackhole. Thanks.