getting a bunch of bogus requests hitting my server.
would like to block any requests that include http:// in it.
example:
domain.com/forum/function/component.php=http://bogusdomain.gov.ve/images/foo.txt
I thought
RewriteRule ^(.*=http://) - [F]
would do it, but it doesn't seem to work.
any suggestions?
If you're worried about such requests you'd better tackle the source of the problem, i.e. turn allow_url_fopen off in PHP etc.
As for the rewrite rule... do other rewriterules work? (i.e. is the engine enabled?) ^.=http://.$ should match I guess, no need for the parentheses since you're not reusing the match
You haven't mentioned an OS, and this isn't what you asked for (a rewriterule) -- but it does block attacks.
I use Fail2Ban to block all kinds of junk on Ubuntu; using the webserver log, the sshd log and others.
An incident = a regexp + a log file.
A rule can say when there are NN incidents in time T add a ban in the firewall for the IP for X minutes. The default is like 10 minutes... which is good if you accidentally ban yourself. If you are not worried about that, it can be set longer.
The nice thing about this approach is that you can ban all traffic from that IP and not just traffic against the web server. Also, instead of getting an indication like REFUSED or FORBIDDEN, the traffic can simply hang and never be delivered or acknowledged.
