"deny from <IP>" not working for Lightspeed AWS/Django

Keywords: Django - AWS - How to - Services (Apache, MariaDB, MySQL…)

Description:
https://docs.bitnami.com/aws/infrastructure/django/troubleshooting/deny-connections-bots-apache/

I’m trying to block a specific IP as it’s probing my instance repeatedly. The instructions at the URL above do not seem to work.

The command

Returns “Approach A”.

There are not files being used from this directory /opt/bitnami/apache2/conf/vhosts/ and I’m not using Wordpress.

I followed the instructions for Approach B and added deny from 1.2.3.4 to /opt/bitnami/apps/APPNAME/conf/httpd-app.conf, verified the config apachectl -t and restarted Apache.

I also added the ‘deny from 1.2.3.4’ to

  • /opt/bitnami/apache/conf/bitnami/bitnami.conf
  • /opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf

Verified the config `apachectl -t and restarted Apache.

I’m still seeing the offending IP in the error_log. Please Advise.

e.g.

[client 1.2.3.4:39180] AH00126: Invalid URI in request 'bin/sh' 'POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1'

[client 1.2.3.4:57910] AH00126: Invalid URI in request 'etc/hosts' 'GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1'
[client 1.2.3.4:36122] AH00126: Invalid URI in request 'etc/passwd' 'POST /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1'

I’m on AWS Lightspeed with Bitnami Django 3.2.5-8. Thanks!

This is the command that shows which Approach you are using:

test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."

Hi @lar-mo

Thanks for using Bitnami Django!

There are not files being used from this directory /opt/bitnami/apache2/conf/vhosts/ and I’m not using Wordpress.

I have tried following your steps to reproduce your case. In order to do that, I launched a Bitnami Django 3.2.5-8 instance and used the command you mention to identify the Approach:

$ test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."
Approach A: Using system packages.

Right, so it seems that the stack is using Approach A (as expected). Then, the guide mentions the path /opt/bitnami/apache2/conf/vhosts/. This is the path where all Apache Virtual Hosts for applications should be placed. In the case of Django, here is the content of that folder:

$ ls -la /opt/bitnami/apache2/conf/vhosts/
total 24
drwxrwxr-x 3 bitnami root 4096 Jul 22 22:09 .
drwxrwxr-x 6 bitnami root 4096 May  3 17:50 ..
-rw-rw-r-- 1 bitnami root  161 Jul 22 22:09 00_status-vhost.conf
drwxrwxr-x 2 bitnami root 4096 Jan  1  1970 htaccess
-rw-rw-r-- 1 root    root 1060 Jul 22 22:09 sample-https-vhost.conf.disabled
-rw-rw-r-- 1 root    root  894 Jul 22 22:09 sample-vhost.conf.disabled

There are no app-related VirtualHost by default. This is because Django does not come with a default project to be deployed and you need to follow the associated tutorial:

https://docs.bitnami.com/aws/infrastructure/django/get-started/deploy-django-project/

In any case, I have tried adding the changes to the default Apache VirtualHost (in /opt/bitnami/apache2/conf/bitnami/bitnami.conf):

# Default Virtual Host configuration.

# Let Apache know we're behind a SSL reverse proxy
SetEnvIf X-Forwarded-Proto https HTTPS=on

<VirtualHost _default_:80>
  DocumentRoot "/opt/bitnami/apache/htdocs"
  <Directory "/opt/bitnami/apache/htdocs">
+   deny from XX.XX7.X.X3
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>

  # Error Documents
  ErrorDocument 503 /503.html
</VirtualHost>

Include "/opt/bitnami/apache/conf/bitnami/bitnami-ssl.conf"

Restarted apache and, voilà:

Screenshot 2021-10-19 at 12.41.57

As this does not seem to be related to the guide itself, but to changes performed in your machine, please create a new issue with type Technical Issue. That way, we can retrieve a report generated by the bndiagnostic-tool and further analyse your issue.

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart:

1 Like

Update: I tested with my own IP and do see that I get the Forbidden Page (403).
However, a different error is generated:

[client 1.2.3.4:60720] AH01797: client denied by server configuration: /opt/bitnami/projects/my_project/djangoProj/wsgi.py

I don’t understand what these messages mean. It would seem these requests are NOT coming through port 80 or 443.

[client 1.2.3.4:41314] AH00126: Invalid URI in request 'bin/sh' 'POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1'
[client 1.2.3.4:56220] AH00126: Invalid URI in request 'etc/hosts' 'GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1'

Perhaps this is an AWS issue not Bitnami.

Thanx!

Looks like this offending IP is well reported

https://www.abuseipdb.com/check/45.146.164.110

Update: I tested with my own IP and do see that I get the Forbidden Page (403).
However, a different error is generated:
[client 1.2.3.4:60720] AH01797: client denied by server configuration: /opt/bitnami/projects/my_project/djangoProj/wsgi.py

That is not an error, but the actual confirmation that Apache is successfully blocking the request from your IP :slightly_smiling_face: . More info on this message here:

https://cwiki.apache.org/confluence/display/HTTPD/ClientDeniedByServerConfiguration

and do see that I get the Forbidden Page (403).

You may actually don’t see the Forbidden Page due to your browser’s cache. Instead, try to access your site using your console:

$ curl -I https://my-site.com

I don’t understand what these messages mean. It would seem these requests are NOT coming through port 80 or 443.

They are indeed coming from one of those two ports, which by default are the only ones that Apache is set to listen to. The ports you see in the entries are the ones the client has begun the communication from, not the ones it is connected to on the server (in order words, those ports are the ones Apache will be sending your webpage to).

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart:

1 Like

Apologies as I may have confused the issue by including the “client denied by server configuration” error. I’m not so concerned with that as the “deny from x.x.x.x” does work.

It’s these errors that I’m concerned about:

[client 1.2.3.4:41314] AH00126: Invalid URI in request 'bin/sh' 'POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1'
[client 1.2.3.4:56220] AH00126: Invalid URI in request 'etc/hosts' 'GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1'

The point of the article: https://docs.bitnami.com/aws/apps/wordpress/troubleshooting/deny-connections-bots-apache/ – seems to be to ‘deny connections to these attackers’, i.e. bots. Even though the attempts are unsuccessful, presumably the ‘probe’ uses some server resources.

In my case, 45.146.164.110 shows up in my instances logs once every day.

Thanks again for checking!

Apologies as I may have confused the issue by including the “client denied by server configuration” error. I’m not so concerned with that as the “deny from x.x.x.x” does work.
It’s these errors that I’m concerned about:

Thanks for the clarification

[client 1.2.3.4:41314] AH00126: Invalid URI in request ‘bin/sh’ ‘POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1’
[client 1.2.3.4:56220] AH00126: Invalid URI in request ‘etc/hosts’ ‘GET /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts HTTP/1.1’

Those requests look like the client (which you have even confirmed to be a well-known and reported IP) is trying to do malicious connections against your server, presumably trying to attack it. That said, Apache identified the malicious connections and correctly marked them as errors.

The general action to take against this is to ensure you keep your software up to date and deny repeated connections from those offenders.

The point of the article: https://docs.bitnami.com/aws/apps/wordpress/troubleshooting/deny-connections-bots-apache/ – seems to be to ‘deny connections to these attackers’, i.e. bots. Even though the attempts are unsuccessful, presumably the ‘probe’ uses some server resources.

Yes, the ‘probe’ requests do have a small impact on the server (as it has to tell them apart from the inoffensive ones), but it is minimal. In any case, if you want to go a step further and filter out those requests from even reaching your Apache server, you can also enforce tighter firewall rules on your instance. Although we do not have any guide covering the exact process, we have a similar guide that shows how to access the Firewall interface and list the Inbound rules:

https://docs.bitnami.com/aws/faq/administration/use-firewall/#close-server-ports-and-deny-remote-access

Please take a look at it, I think you may find it handy!

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart:

1 Like

Thanks for the detailed response! Best~

Glad to see you were able to solve your issue! We are marking the previous answer as “Solution” and this topic as “Closed”.

If you have any other questions, please do not hesitate to let us know. Feel free to create a new topic referencing this one if necessary.

Best regards,
Jose Antonio Carmona


Was my answer helpful? Click on :heart: