httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich <a...@rbentley.com>
Subject Re: [users@httpd] How to close connection instead of sending 403?
Date Sun, 19 Jun 2005 12:14:26 GMT
Yes, I see where you're coming from...

Actually, thinking further, you CAN set up mod_security so that it drops 
the connection - for example, I have this as a default action in my 
mod_security setup...

SecFilterDefaultAction 
"deny,log,status:403,system:/usr/local/pft/add_httpd_block %s"

The 'add_httpd_block' script is something I wrote myself to drop the 
connection and block the IP for a while. I just drop all connections 
from that IP (because that's what I want), but I'm sure you could work 
out something that will allow you to drop just this client, thus 
releasing the connection.

You could also reduce the ip idle timeout at the firewall so that 
hanging connections get removed quicker; assuminig the client has given 
up because you're not responding then the connection will be idle - if 
the client has not given up then short of blocking the ip address (which 
you say you don't want to do) there's not much you can do about it anyway.

Rich.



dtufs wrote:
> 
> --- Rich <app1@rbentley.com> wrote:
> 
> 
>>You can configure mod_securiy so that it will not
>>respond at all - ie - 
>>it will just leave the client hanging waiting for a
>>response (which it 
>>will never get). Much like a 'silent' firewall.
>>
>>As I said, not ideal (the connection is still live),
>>but at least you 
>>can suppress any outgoing data.
> 
> 
> Yes, I read about this possibility in the modsecurity
> documentation. However, this does not seem acceptable,
> because too many "hanging" connections would very
> likely cause DoS in a very short time.
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 
> !DSPAM:42b55914167216989284748!
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message