Archive for the 'Mongrel' Category

Block Apache users based on their User-Agent

Friday, October 17th, 2008

On one of my servers, I was under some weird "ranking up!" attack, which basically was just a loop of requests to one user's profile (making that users access count higher, and therefore ranking higher in the access top)

Here's what my Apache logs were telling me:

218.25.251.170 - - [17/Oct/2008:11:02:26 +0900] "GET /ono/profile HTTP/1.1" 200 2363 "-" "KDDI-KC35 UP.Browser/6.2.0.5 (GUI) MMP/2.0"
218.25.251.170 - - [17/Oct/2008:11:02:30 +0900] "GET /ono/profile HTTP/1.1" 200 2363 "-" "KDDI-KC35 UP.Browser/6.2.0.5 (GUI) MMP/2.0"
218.25.251.170 - - [17/Oct/2008:11:02:34 +0900] "GET /ono/profile HTTP/1.1" 200 2363 "-" "KDDI-KC35 UP.Browser/6.2.0.5 (GUI) MMP/2.0"

So, the flood of accesses was originating from some user who was using a KDDI-flavour browser (it is a mobile phone browser used in Japanese AU operator's phones).
Luckily, though we do support mobile browsers to a degree, that's not the main feature of the site, so I have decided I can block that specific browser without affecting too many users (if any).
There are actually at least two ways to block a user from visiting you site, based on User-Agent. First is setting server environment variable and then denying users for which that variable has been set:
for example:
SetEnvIfNoCase User-Agent Mozilla getout
<Directory "/var/www/html/myserver">
Order allow,deny
Allow from all
Deny from env=getout
</Directory>
will deny all users who user Mozilla-based browsers (this includes Safari as well, as it has the "Mozilla" substring in its user agent).
However, with the site in question was running on Rails, and being served by a Mongrel cluster (via proxy balancer), the directives above didn't work for me somehow..
I had to add the following just below the RewriteEngine On directive to achieve the same blocking effect (now, targeted specifically to the offender's browser in question):
RewriteCond %{HTTP_USER_AGENT} "KDDI\-KC35 UP\.Browser/6\.2\.0\.5" [NC]
RewriteRule ^.*$ - [F,L]
Restarted Apache, and all the flood of accesses just stopped. A user was started to get access denied errors on his/her site.
Sure it wouldn't be as easy if you have flood accesses from more popular browsers (I guess in that case you'll have to block by both user agent and, say, user's subnetwork). But it worked in my limited case. Hopefully will have somebody else to fight flooders, as well :)

Posted in Apache, Mongrel, Servers | No Comments »

Hold on with upgrading to ruby 1.8.6-p230!!

Thursday, June 26th, 2008

I started getting weird

(eval):2:in `protect_against_forgery?'

error from one of my Rails2-based system today. Mongrels were seg-faulting as well. The problem was quite unexpected as I have not touched the code for a while!

Turned out the problem was with the latest upgrade to ruby 1.8.6 patch level 230 (which is recommended by the Ruby on Rails site). And looks like this was the only system re-deployed (and restarted under new ruby version) since I have upgraded.

Now I'm back to p111, "vulnerable", but at least working version until problems sort themselves out.

Until they do, do not upgrade!

UPDATE:

Looks like the is a patch which addresses vulnerabilities which patch 230 addressed in turn. Check here for details. However, I'll just stick here for a couple of days for a real fix from the Ruby team.

Posted in Mongrel, Ruby | No Comments »

Securing your sleep when running Mongrel

Wednesday, January 17th, 2007

Mongrel, which, along with Apache 2.2 & load balancer & mongrel cluster, I run for hosting my Rails site - is a very nice piece of software. But there is a problem. It crashes.

I found about it the hard way - by a phone call at 0:30 in the morning, saying "the server seems to be down". "Doh", I though - and got out of my comfy bad.. Got to my computer, logged in to the server, restarted Mongrel cluster and got back to sleep (you can always check the logs later in the morning, right? :) (more…)

Posted in Mongrel, Ruby on Rails, Servers | No Comments »