On Wed, Mar 19, 2003 at 07:55:05AM -0500, Dave [Hawk-Systems] wrote: > Had a situation with a user trying to gain access to an htaccess protected > directory. > > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user cobras not found: > /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user loredana not > found: /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user steve not found: > /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user e not found: > /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user horno not found: > /members/members.htm > ... > > This user will never gain access to the directory using this method just given > the password and userid scheme that this hosting client is using. The fact that > this schmuck bangs away for hours (as have others over the past 6 months) is > annoying though. > > Is there a port or methodology to parse for such action and ban the IP address > from making further attempts for X hours (all automated of course). Oh I like such tasks. :) I have almost like this situatation with ICQ rotor. I used timeout which experementally was defined.
In this case will reasonable to use scoring for each IP. As variant you may look for intervals like score_delta = weight/interval, and sum score_delta by IP's. To threat moment in this letter simply populate groups (only one IP in whole group) by requests which have timedistance to nearest (by time) request in group lower than some boundary. Then calculate count and total interval in which group is placed. score = weight*group_count/group_time, or set boundary of count of requests per group. which will have biggest score will be unwanted IP's For parsing I'll recomend perl. > > -- With best wishes Nikolay mail: [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
