Apache VirtualHost Blockhole (Eats All Requests on All Ports on an IP)

I’m exhausted. I just spent the last two hours chasing a goose that I have been after on-and-off for the past year. Here is the goal, put as succinctly as possible.

Step 1: HOSTS File:

127.0.0.5 NastyAdServer.com
127.0.0.5 xssServer.com
127.0.0.5 SQLInjector.com
127.0.0.5 PornAds.com
127.0.0.5 OtherBadSites.com
…

Step 2: Apache httpd.conf

<VirtualHost 127.0.0.5:80>
    ServerName BlackHole
    DocumentRoot "X:\Docs\…\BlackHole"
    RewriteEngine On
    RewriteRule (\.(gif|jpg|png|jpeg)$) /p.png [L]
    RewriteRule (.*) /ad.htm [L]
</VirtualHost>

So basically what happens is that the HOSTS file redirects designated domains to the localhost, but to a specific loopback IP address. Apache listens for any requests on this address and serves either a transparent pixel graphic, or else an empty HTML file. Thus, any page or graphic on any of the bad sites is replaced with nothing (in other words an ad/malware/porn/etc. blocker).

This works great as is (and has been for me for years now). The problem is that these bad things are no longer limited to just HTTP traffic. For example:

<script src="http://NastyAdServer.com:99">
or
<iframe src="https://PornAds.com/ad.html">
or a Trojan using
ftp://spammaster.com/id=goodaddr@foo.bar;myemail@baz.com;harvested@email.addr
or an app “phoning home” with private info in a crafted ICMP packet by pinging
CardStealer.ru:99

Handling HTTPS is a relatively minor bump. I can create a separate VirtualHost just like the one above, replacing port 80 with 443, and adding in SSL directives. This leaves the other ports to be dealt with.

I tried using * for the port, but then I get overlap errors. I tried redirecting all request to the HTTPS server and visa-versa but neither worked; either the SSL requests wouldn’t redirect correctly or else the HTTP requests gave the You’re speaking plain HTTP to an SSL-enabled server port… error. Further, I cannot figure out a way to test if other ports are being successfully redirected (I could try using a browser, but what about FTP, ICMP, etc.?)

I realize that I could just use a port-blocker (eg ProtoWall, PeerBlock, etc.), but there’s two issues with that. First, I am blocking domains with this method, not IP addresses, so to use a port-blocker, I would have to get each and every domain’s IP, and update theme frequently. Second, using this method, I can have Apache keep logs of all the ad/malware/spam/etc. requests for future analysis (my current BlackHole logs are already 466MB right now).

I appreciate any help in successfully setting up an Apache VirtualHost blackhole. Thanks.

Best Answer

Interesting solution .. I like it! You should use an address other than localhost, however.

Bind another IP onto the NIC (or use a second NIC) on the box, and setup Apache to listen on that address, for whatever ports you want. Wildcard (*) should work. Then, the only traffic to that address is directed by the HOSTS file "spoof", and that traffic won't interfere with other (legit) services that may access localhost.

Also, you may choose to do this with DNS rather than with the HOSTS file. This is IMHO a better long term solution. Finally, the easiest solution is most likely to block traffic at your firewall to these domains.

UPDATE - based on comments. I suggest that you use TWO different IP addresses, one for HTTP and one for HTTPS. Have each one listen on all ports and direct traffic to the appropriate port. Then, when you add the domain for blocking to the HOSTS file, set it to the SSL/vanilla IP based on the the type of request that triggered the adding of the entry.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Apache – Serve HTTP and HTTPS on Same VirtualHost

Related Topic