An issue with IP/~users bandwidth

hostpc.com

hostpc.com

Verified User
Joined
Aug 2, 2003
Messages
1,054
Location
Schenectady, NY
For the author - John?

*Note: please recognize that i am using domain1.net as an example because he is one of my friends... I am not 'illegally' using his bandwidth*

If I go to www.domain1.net/webmail I can logg in to my email account on domain2.net domain. BUT this webmail bandwidth will be charged to domain1.net.

Another thing... If I do www9.hostpc.com/webmail, there is no bandwidth charge to me, only to www9.hostpc.com... so that is a free way to check webmail...

Minor, right?

Not this way though... Say I host a 20 meg video of a wedding or whatever... I dont want to host on my account because i might go over (ok, i have 8 gig bandwidth, so i wouldn't, but bare with me) If I do link to www9.mywebserver.com/~domain2/directory/video.avi i can stream to everyone i know apparently unnoticed and un bandwidthed... This results from directadmin not knowing who to charge for hte bandwidth...

this bandwidth to www9 is speculation on my part, as I cannot see apache logs for that domain...


However, even worse is me trying to dick over domain1 (or anyone else on the domain).
If I do http://www.domain1.net/~user2/directory/video.avi i am not streaming my video THROUGH domain.net and the BANDWIDTH is charged to his account... of course in the logs it is easy to see that i am doing that, BUT it cause a good deal of confusion...

If direct admin doesn't log bandwidth by directory (which I dont beleive it does, it does by resolution and serving) then the www9.mywebserver.com/~user is a realtively nice hole to eat up free bandwidth...

Do note i have been trying this, so you will see a bunch of ~user calls in the www9 apache logs, but i am not hosting any files that are large than a few k... I was using only for testing my theory... and am not trying to steal your bandwidth... i have plently that goes unused everymonth... Just want to notify you guy because it would help to keep my domain from being outserved by another customer...

I beleive that you can stop this ~user access hole by uncommenting "Userdir public_html" line in the httpd.conf file It is something like that, i dont EXACTly remember since i am not at a comptuer that i can test that on...

this would fix the ~user hole. The /webmail hole though for www9.hostpc.com iam not so sure about... Since www9 is not hosting a webpage, I THINK you could add a /webmail redirect under the public html to redirect to a page that says "blahblhja blah use your own f-ing domain"
Click to expand...

Any thoughts?? This seems pretty "critical" ... any suggestions on patching this "hole" would be appreciated, every MB costs me money in bandwidth.

Thanks for your input.

Joe
 
I noticed this today. I setup an account for a friend that needed to host something and told him to use http://xx.xx.xx.xx/~user. No bandwidth usaged for him yet and 70 some hits to a movie. While its no big deal for me, I can see it being a big problem.
 
Hello,

You can just disable the ~username feature in apache. Just comment out the following lines:
Code: 
<IfModule mod_userdir.c>
    UserDir public_html
</IfModule>
There isn't a whole lot that can be done (that I know of) to charge bandwith to a user from ~user. (If someone knows, let me know! :))

John
 
Using the syntax show in the UserDir documentation, you can restrict what users are permitted to use this functionality:

UserDir enabled
UserDir disabled root jro fish

The configuration above will enable the feature for all users except for those listed in the disabled statement. You can, likewise, disable the feature for all but a few users by using a configuration like the following:

UserDir disabled
UserDir enabled rbowen krietz
"

You would want to make the UserDir disable so that noone can use that ~user technique...

this is from http://httpd.apache.org/docs-2.0/howto/public_html.html


I now realize this is an issue in a "few" different cp's - nothing limited to just DA.... but I'd still like to find a complete solution, if one exists. This was posted by my user as an option -

Thanks John for your addressing this issue, if there's anything else that can be done, please let us know.

Joe
 
Yeah, that's a good idea.

Make sure we can enable/disable it on per-user basis then (sometimes it takes longer than 48) :)
 
Perhaps something like this could be added to run at some interval to update the user's usage. Something like this could also be used to rotate the access and or error logs. From what I see you count the bytes transferred in the /var/log/httpd/domains/xxxx.bytes file and use that. This would just update that file based the domainowner. This may not be complete, but it might be a good start.

Code: 
#!/usr/bin/perl

$accesslog="/var/log/httpd/access_log";
$domainown="/etc/virtual/domainowners";
$domainloc="/var/log/httpd/domains";
$domains=();

rotatelog();

# find out who owns what domain
open(INFILE,"<$domainown") || die "Could not open $domainown error $!\n";
while(<INFILE>) {
  chomp;
  ($domain,$owner) = split /:/;
  $domain =~ s/^\s*(.*?)\s*$/$1/;
  $owner =~ s/^\s*(.*?)\s*$/$1/;
  $domains{$owner}=$domain;
}

# open up access log file and start finding tilde access
$accesslog .= ".1";
open(INFILE,"<$accesslog") || die "Could not open $accesslog error $!\n";
while(<INFILE>) {
  chomp;
  $line = $_;
  $line =~ s/.*] "//;
  ($req,$retbytes,$page,$misc,$browser) = split /"/,$line;
  if($req =~ /~/) {
    $req =~ s/.*~//;
    $req =~ s/\/.*//;
    $req =~ s/\s.*//;
    next if(!length($req));
    $retbytes =~ s/^\s*(.*?)\s*$/$1/;
    ($retcode,$bytes) = split / /,$retbytes;
    $domain=$domains{$req};
    if(!length($domain)) {
        $domain="misc";
    }
    open(USERLOG,">>$domainloc/$domain") || die "Could not open $domainloc/$domain for appending error $!\n";
    print USERLOG $_ . "\n";
    close(USERLOG);
    open(USERBYTE,">>$domainloc/$domain.bytes") || die "Could not open $domainloc/$domain.bytes for appending error $!\n";
    print USERBYTE $bytes . "\n";
    close(USERBYTE);
    
  }
}
close(INFILE);

sub rotatelog {
  $i=1;
  $done=false;
  while(!$done) {
    $oldn="$accesslog.".$i;
    if( -f $oldn ) {
      $newn="$acceslog.".$i+1;
      rename $oldn,$newn;
    } else {
      $done=true;
    }
  }
  rename $accesslog, $accesslog.".1";
  @args = ($apachectl,"graceful");
  system(@args) == 0 || print "Error restarting apache\n";
  sleep 60;   # allow current requests to log
}
 
Is there any word on this disabling feature or this adding up bandwith part?

I'd really like to see the latter part which just parses it for actual usage. Then there's no need for disabling this feature...
 
At the momment, that might work well.. *but* you'd have to run it on each and every log.. because there is no reason a user can't go "www.someonesdomain.com/~otheruser" unless we add a new

UserDir /home/username/domains/domain.com/users

Which would disable OTHER system accounts from being accessed from ~user.. AND would enable a new feature :)

Then we could have the *real* ~username only work on the IP (1.2.3.4/~username), which would be logged in the main access_log, which could be parsed for cheaters.

John
 
cant you parse the logs nightly and search for a url request starting with "/~" and then find a user by that name, and give the usage to their main domain? (and take it off the user who is getting abused)
 
Yes, that's the idea. It would just take a fair amount of cpu, but right now it's just a matter of getting to it.

John
 
Yeh, i know how much cpu it would use (and for an extended time).

Just remember to store the last line number parsed so you can jump to it without burning cpu on useless logs...

Another idea, is it possible to get apache to create a single log file for all domains along with every other domain? then you would have just one file to parse every night which you delete after using.
 
I think the best way would be to disable ~user on domain.com/~user and only allow it on 1.2.3.4/~user, so that it would decrease the number and size of logs that would need to be parsed (would only need to parse the main access_log). All ~user for domains would go to somewhere/nowhere in the user's home directory, so it couldn't be abused. It would also guranteed that they wouldn't be billing for someone else's abuse.

John
 
You must log in or register to reply here.
Back
Top