mod_security block requests by http-host header

http apache-2.2 bittorrent mod-security

Same issue here. I am using mod_security to block the user-agent

SecRule REQUEST_HEADERS:User-Agent "Bittorrent" "id:10000002,rev:1,severity:2,log,msg:'Bittorrent Hit Detected'"

I would change the log to nolog after you verify it is working to avoid filling up your log file

SecRule REQUEST_HEADERS:User-Agent "Bittorrent" "id:10000002,rev:1,severity:2,nolog,msg:'Bittorrent Hit Detected'"

We are experiencing exactly the same issue with one of our client's sites. I added the following near the top of their :

# Drop Bittorrent agent 2015-01-05 before redirect to https
<IfModule mod_rewrite.c>
    RewriteEngine on
    # RewriteCond %{HTTP_USER_AGENT} =Bittorrent
    RewriteRule ^/announce$ - [F]
    RewriteRule ^/announce\.php$ - [F]
</IfModule>

The commented-out RewriteCond can be uncommented to only block a specific user agent. But they have no content at announce or announce.php so we just blocked it all.


I'm having the same issue at the moment, having torrent trackers point at my server. I've experimented with iptables for the past couple of days and inspected headers and patterns of the requests and narrowed it down to a couple of iptables rules that filters pretty much all of the recent seemingly malicious traffic from Asia (China,Malaysia,Japan and Hong Kong).

Below are the rules. Hope it helps someone.

iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "Bittorrent" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "spider" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "announce" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "deviantart" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "Bittorrent" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "baidu" --to 1000 -j REJECT
iptables -I INPUT -p tcp --dport 80 -m string --algo bm --string "Baiduspider" --to 1000 -j REJECT

I wrote a blog post about how to properly tell BitTorrent clients to go away and never come back, similar to what Dan did, but using nginx.

server {
    location /announc {
        access_log off;
        error_log off;
        default_type text/plain;
        return 410 "d14:failure reason13:not a tracker8:retry in5:nevere";
    }
}

Torrent trackers (usually) have a standard URL that begins with /announce or /scrape, so I wouldn't dismiss filtering by URL so quickly. It works.

The full post is at - http://dvps.me/ddos-attack-by-torrent

Related

Debian ip6tables rules setup for IPv6
How can I delete all files from a directory when it reports "Argument list too long"
How can I install packages without starting their associated services?
How to fetch ./configure parameters used at last time?
How do I enter a strong (long) DKIM key into DNS?
Don't understand [0:0] iptable syntax
Controlling HP ProLiant DL380 G6/G7 fan speed
How to make `rm` faster on ext3/linux?
Is it worth the effort to block failed login attempts
Securing SSH server against bruteforcing
How to enforce sender address to be "[email protected]" in Postfix?
block all but a few ips with firewalld