This is a little off the topic of Apache module
development, but it's perhaps a better solution to
the problem posed which the questioner mentioned
rather than using an Apache module.
> what i'm doing right now is: using the error log pipe
> to check for for suspicious errors. if enough errors
> happened i call iptables -A INPUT -d DROP -j 'IP'.
>
> for me doing all checks with a apache module seems to
> be more 'cleaner'.
I'm doing the exact same thing and it's "cleaner" that
way in one important sense. What I found is that the
people attacking http also attack, often as a dictionary
attack, pop3, imap, ssh, and ftp. They will use pop3 to
test a user name and password which they will then use to
log in via ssh or ftp. I use the exact same code to monitor
the error logs for each service, with just a couple of
variables changed to monitor the service. Using the same
code for all five daemons is cleaner than writing one
module for Apache, a very different one for ssh, another
that's quite different for pop3, then one for imap, and
yet more completely different code to integrate with the
ftp server.
Totally off the topic of Apache, I also noticed something
about the iptables statement you're using. You said you're
using:
iptables -A INPUT -d DROP -j 'IP'
That's fine as long as their are only a couple of IPs,
but we often see a distributed brute attack using 1,500
proxies or more, as that's easy to do using freely available
software these days. Each packet only carries less that 1.5k
on most servers, so a busy server moves a lot of packets in
a short time and checking each packet against a list of 1,500
IPs is a big waste of overhead. Instead, we only check the
FIRST packet of each new connection, using code like.
In the input chain, a single check gives us the first packet
of each connection, which we send on to be checked against
the large list of IPs:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- OurAdminIP 0.0.0.0/0 tcp
sshd_brute all -- 0.0.0.0/0 0.0.0.0/0 state NEW
Then we add IPs to the sshd_brute chain using:
system("$iptables", '-A', 'sshd_brute', '-s', "$ip", '-j', 'DROP');
We're in the business of detecting and stopping brute
force and dictionary attacks, so we've spent some time
trying to get this right. You may certainly have some
good ideas we haven't thought of, though.
--
Ray B. Morris
[EMAIL PROTECTED]
On 06/05/2008 09:38:17 AM, living liquid | Christian Meisinger wrote:
> > What you've got looks more complex than it should be (but I'm
> > not spending the time to go through it in detail).
> >
> > 1. That's not a filter in Apache terminology.
> > 2. You're basically doing the same as mod_access/mod_authz_host
> > but using a different lookup.
> > 3. mod_rewrite can already do what you're looking for.
> > If you want to drive it from SQL, you can use
> > RewriteMap "dbd:your-SQL-query"
> >
>
> what i'm doing right now is: using the error log pipe to check for
> for suspicious errors.
> if enough errors happened i call
> iptables -A INPUT -d DROP -j 'IP'.
>
> for me doing all checks with a apache module seems to be more
> 'cleaner'.
>
