About three months ago I decided to set up a Ubuntu server complete with mail, web and ftp services. Not for any particular reason other than I just wanted to do it. I managed to get the everything up and running so have been looking at some add-ons, one of which is phpbb3. It's up and running and I beleived everything was fine until yesterday when suddently there was a flurry of activity on this otherwise quite system. Just total nonsense was posted in the single forum from a variety of users (all of whom registered). I nuked the whole lot, locked down the forums a bit more but now continually get access attempts as follows: Code: 178.137.165.56 - - [01/Dec/2012:22:21:44 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/phpbb/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)" 178.137.165.56 - - [01/Dec/2012:22:21:44 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/phpbb/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)" 178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)" 178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)" 178.137.165.56 - - [01/Dec/2012:22:21:45 -0500] "GET /phpbb/index.php HTTP/1.0" 200 6464 "http://www.mydomain.com/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB7.3; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; AskTbCFTP2V5/5.14.1.20007)" I've tried adding that IP address to the PHPBB "IP Ban" list. Tried adding it to an .htaccess file both in the root web directory and in the /usr/share/phpbb3/www directory... that didn't work either. I've even entered the IP address in the "advanced settings" of the router's "Inbound Filter" settings to deny access. Not even that worked. It's like the IP address being reported in the apache2/access.log file isn't accurate. I'm at a total loss...... Help! Au secour!
I added the IP address of the offending site. (I also copied the .htaccess file from /var/www to /usr/share/phpbb3/www so both locations contain the same file. The .htaccess file is as follows: Code: #GLOBAL BAD BOT EXCLUSION SetEnvIfNoCase User-Agent "^Yandex*" bad_bot <Limit GET POST> Order Allow,Deny Allow from all Deny from env=bad_bot </Limit> #END GLOBAL BAD BOT EXCLUSION # #SPECIAL PROVISION TO BLOCK BAIBU-BOT RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^Baiduspider [NC] RewriteRule .* - [F] #END SPECIAL PROVISION TO BLOCKI BAIDU-BOT # #BLOCK SPECIFIC IP ADDRESSES Order deny,allow Deny from 5.9.63.172 Deny from 37.140.141.15 Deny from 61.155.106.210 Deny from 65.55.24.87 Deny from 65.55.24.215 Deny from 65.55.24.244 Deny from 65.55.52.87 Deny from 66.249.74.221 Deny from 66.249.75.67 Deny from 78.158.11.226 Deny from 87.244.132.228 Deny from 91.121.169.209 Deny from 91.205.189.15 #Baidu Spider start Deny from 123.125.71.15 Deny from 123.125.71.18 Deny from 123.125.71.35 Deny from 123.125.71.47 Deny from 123.125.71.53 Deny from 123.125.71.69 #Baudi spider end Deny from 149.3.152.246 Deny from 157.55.35.35 Deny from 157.56.229.88 Deny from 168.62.176.62 Deny from 178.137.89.184 Deny from 178.137.165.56 Deny from 178.154.164.251 Deny from 180.76.5.98 Deny from 180.76.5.107 Deny from 180.76.5.177 Deny from 190.120.231.35 Deny from 193.43.252.252 Deny from 210.211.125.10 Deny from 220.181.51.81 # I believe this has worked thus far. What I'm at a real loss to explain is why the router's "inbound filter" and it's "DENY" option isn't working. It's like the requests are coming from a different IP address that what Apache is showing in the access.log file.
