Ok, I guess this is because autoindex kicks in for the 403 but there needs to be a better way because to block someone does no good because they will still get 403s and execute php each time.
the measure I took was adding a 403.shtml But I think in general something should be different so it doesnt execute php each time there is a 403
For example I had this site getting attacked. I noticed a flaw in the way the bots were attacking. They was all hitting site.com//index.php notice the double slashes. So I made a mod security rule to block this.
Problem was I still kept on seeing a high resource usage from this user. As well as their php processes running out.
Anyway its a simple fix just a suggestion, When you add the shtml files the php processes will go way down as well as server load
here is an example of the attack
210.17.144.130 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
156.34.8.177 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
156.34.8.177 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
210.17.144.130 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
I also noticed that this drove transfer usage up as well. I just now added the shtml file. I will see if it makes a difference as far as that goes
the measure I took was adding a 403.shtml But I think in general something should be different so it doesnt execute php each time there is a 403
For example I had this site getting attacked. I noticed a flaw in the way the bots were attacking. They was all hitting site.com//index.php notice the double slashes. So I made a mod security rule to block this.
Problem was I still kept on seeing a high resource usage from this user. As well as their php processes running out.
Anyway its a simple fix just a suggestion, When you add the shtml files the php processes will go way down as well as server load
here is an example of the attack
210.17.144.130 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
156.34.8.177 - - [19/Sep/2007:15:11:05 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
156.34.8.177 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
210.17.144.130 - - [19/Sep/2007:15:11:10 -0400] "GET // HTTP/1.1" 403 381 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1"
I also noticed that this drove transfer usage up as well. I just now added the shtml file. I will see if it makes a difference as far as that goes