On Sat, 2011-08-20 at 22:43 -0500, Barry Brimer wrote:
> > When a web site is attacked, so far by unsuccessful hackers, my error
> > routine adds the attackers IP address, prefixed by 'deny', to that web
> > site's .htaccess file. It works and the attacker, on second and
> > subsequent attacks, gets a 403 error response.
> Have you looked at mod_evasive?
> http://www.zdziarski.com/blog/?page_id=442
Thank you for the suggestion. I have just looked at it and see:-
* Requesting the same page more than a few times per second
* Making more than 50 concurrent requests on the same child per second
* Making any requests while temporarily blacklisted ...
My requirement, based on observations, is to instantly cut-off the IP's
access as soon a wrong URL is entered. When a web page error occurs it
is handled by a PHP routine. Two sets of checks show whether it was an
'innocent' mistake or a known hacking attempt. Currently known hacking
attempts are blocked at the web site's .htaccess file.
mod_evasive lacks the ability to compare the erroneous page request and
then take action. Clive's helpful /etc/sudoers suggestion overnight
seems ideal because (if it works for my routine) it will let me block an
IP address at iptables and limit that blocking to a port.
My check list has a 104 'words' which cause an IP address to be blocked.
When my revised system is working satisfactorily with whole server
blocking I will publish the details on the web.
--
With best regards,
Paul.
England,
EU.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
