Hi Mike,
> Perhaps the most important point here is that the script kiddies and/or
> bots usually make sure the target string, 'login' in your example is *not*
> contained within a single packet. You can verify this with wireshark. In
> any case just be aware that your solution will likely not have the desired
> effect.
>
> This a decent read: http://spamcleaner.org/en/misc/w00tw00t.html
> Specifically the Conclusion section near the bottom.
I'm definitely going to try '-m string' providing the service provider
can fix the problem.
I am not, as the article suggested, going to filter on a "28-byte
string". If I was going to trap the http error 400 event
'w00tw00t.at.ISC.SANS', I would filter on port 80 for 'w00t' or '.at' or
'ISC' or 'SAN' because no web page name contains those strings. Having
control over web pages names brings some benefits :-)
In the current 4,000 to 6,000 daily hits, the lunatic uses
login.php
contact.php
forgotten_password.php
so I will filter port 80 traffic for that web site, now on its own IP,
for
log
con
pas
because no web page name contains any of those 3 byte strings. The
second defence is its own IP Table with 110 IP addresses. The lunatic
has not added any new ones in the last 24 hours.
The longest packet recently rejected was 496 bytes (from another hacker)
and the current lunatic's packets are 60 bytes. Optimistically I have a
reasonable prospect of trapping the above 3 byte strings.
Thank you.
Paul.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
