Dealing with abuse from huge range of IPs

[SagaciousKJB]

Well, I messed up configuring a proxy on apache, and now I'm finding myself the target of a lot of nefarious people trying to use it as a proxy to various websites. Thankfully I caught it early, but even though I've completely shut off the proxying aspect of it and have checked thoroughly that I'm no longer compromised, I'm still being targeted like crazy.

I'm not sure what to do about it. So far I've just been gathering the IPs and blocking them, but no matter what I do there are hundreds of new ones each day. I've already gathered up over 2,700 different hosts to block, and it's becoming unmanageable.

I'm considering just taking my apache server off line since all I do is host graphics and a blog off of it, but I don't want to give up.

Does anyone have some advice?

[Feeyo]

Check out what they are targeting exactly. There is a possibility your box is being used as a server hosting underground scene stuff. Keep your bandwidth monitoring up.

If there is a lot of bandwidth activity I would put the server down, reinstall and maybe even use another ip address for your server/domain.

[SagaciousKJB]

Check out what they are targeting exactly. There is a possibility your box is being used as a server hosting underground scene stuff. Keep your bandwidth monitoring up.

If there is a lot of bandwidth activity I would put the server down, reinstall and maybe even use another ip address for your server/domain.

Well they're targeting Apache as a proxy.

You can set Apache up to act as a proxy. I was doing this so I could host using multiple servers and just one site, but the problem is that I misconfigured it, and the proxy became open to everyone, and soon I noticed that there were all sorts of people using it as a proxy to various websites, usually advertising or gambling sites and stuff like that.

So instead of keeping the proxy configured and open since I don't know what it was I did wrong, I shut off the proxy portion of it completely. However, all these people that were trying to use my proxy are now just getting errors because they're still sending requests to the server regardless of whether it's successful.

I kind of wanted to see if there was a way to solve it on the Apache side but I don't really know too much about Apache.

[rcgreen]

Things will probably quiet down now that you are no longer
running the service. Are they using a lot of bandwidth, or filling
the logs with error messages?

[Feeyo]

I agree if they were using your http as proxy it will quiet down after a while.
Look at Varnish this is a really nice project that will get exactly what you want

[System6Hosting]

Check out fail2ban as well. I have it set up so that anyone probing in the wrong place automatically gets a 24 hour ban. It doesn't take long reading the logs to see the links that the bots are probing for.