If you're trying to protect a web server, DDoS Deflate can be useful - and is pretty easy to modify: http://deflate.medialayer.com/old/. It's based on using netstat to see if you're got excessive connections from an IP.
On the other hand I've got a Denyhosts setup where an ftp and web server that require login have a custom script handling the attempts which writes to a log in the format Denyhosts expects. Then Denyhosts places IPs for too many bad attempts in hosts.deny - which the login script checks too, and just fails you on if your IP is in there. A bit Rube Goldberg, but it makes dictionary attacks - or even much guessing - almost impossible. Whit On Sat, Aug 18, 2007 at 09:19:01AM +1200, Jim Cheetham wrote: > On 18/08/07, David Liontooth <[EMAIL PROTECTED]> wrote: > > Do people have experience blocking other ports than ssh? > > Denyhosts isn't blocking the port, it's blocking individual source IPs > from the application ... > > If you have an application that can tell you if some activity is > unwanted (e.g. your web server is logging attack traffic like GET > requests to "../cmd.exe"), I'd guess that it would be possible to ask > Denyhosts to look at those log patterns and react to them. > > The reaction itself would have to be different than just using > tcpwrappers, I don't think most Apaches pay attention to tcpwrappers > info, but you could throw a custom rule into your firewall easily > enough ... > > -jim ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
