Re: Filtering bad http requests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there,

On Fri, 18 Jan 2008, Mike Leahy wrote:

> I'm wondering if anyone knows of a simple way to filter out bad HTTP
> requests being sent to my server.

I don't think it's simple.  There are many sneaky exploiters Out
There.  We use scripts which tail the Apache logs (via syslog-ng)
looking for suspicious activity.  The definition of 'suspicious' is
wide, fluid and contained in a database which also records actions
taken by the scripts.  We only use iptables at the back end of this
system, the parameters for blocking are controlled by the scripts.

> I've iptables setup to do this sort of thing with brute force ssh
> login attempts.

I wonder if there's a need to accept ssh connections at all from most
of the IPs that you see attacking you; my boxes accept ssh connections
permanently from only two or three known IPs.  We see no brute force
attacks whatever, as an IP just can't connect if it isn't known to us.
We implemented a form of port knocking for mobile users.

--

73,
Ged.
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux