403s still driving up php processes

felosi

Well-Known Member
#1
Ok, I guess this is because autoindex kicks in for the 403 but there needs to be a better way because to block someone does no good because they will still get 403s and execute php each time.
the measure I took was adding a 403.shtml But I think in general something should be different so it doesnt execute php each time there is a 403

For example I had this site getting attacked. I noticed a flaw in the way the bots were attacking. They was all hitting site.com//index.php notice the double slashes. So I made a mod security rule to block this.

Problem was I still kept on seeing a high resource usage from this user. As well as their php processes running out.

Anyway its a simple fix just a suggestion, When you add the shtml files the php processes will go way down as well as server load

here is an example of the attack

210.17.144.130 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
156.34.8.177 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
156.34.8.177 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
210.17.144.130 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"


I also noticed that this drove transfer usage up as well. I just now added the shtml file. I will see if it makes a difference as far as that goes
 

mistwang

LiteSpeed Staff
#2
Our directory auto index is implemented with PHP, however, the 403 response should not invoke auto index. So, it should be something else. Maybe a PHP powered 403 custom error page.
 

felosi

Well-Known Member
#3
hmm, Im an idiot. I gotta pinpoint what was causing that. Was a blog so may have been somethin built in like wordpress has.
I was thinking it was autoindex or some other php page.
Sorry about that, I thought for sure it was invoking some kind of php process because they was all getting 403s yet the php processes and load was high.
where does the forbidden page located?
 
Top