there is a website protected by pf and running apache on a recent
openbsd snapshot that needs to be protected against scripting attacks. i
can configure both pf and apache to help block this behavior but am not
familiar with the best practices for such configurations.
the situation is that a user who authenticates to apache via htpasswd
has run a script a number of times in an attempt to mine a database. all
of the user activity is already logged by apache and it is crystal clear
that scripting is going on. i would like to stop this scripting in its
tracks and here is what i am already looking at:
- pf - use max-src-X to stop this behavior and log it at the firewall
- apache - less clear on what tools are best, possibly mod_security stuff
the sort of behavior that suggests scripting is more than ~20 http
requests in 120 seconds, in this case all from one ip and using a single
apache/htpasswd username.
i'm looking for some guidance both on which dials to set and where to
set them. i am already aware of the max-src settings but do not know
which ones would be best to set here or a prescription for finding the
right numbers to dial in. with apache i am much more clueless and
believe that the trouble behavior being limited to a single apache user
might be helpful in terms of countermeasures.
cheers,
jake
