On Mon, Feb 01, 2010 at 09:10:31AM -0600, Chris Bennett wrote: > Jacob Yocom-Piatt wrote: > >there is a website protected by pf and running apache on a recent > >openbsd snapshot that needs to be protected against scripting > >attacks. i can configure both pf and apache to help block this > >behavior but am not familiar with the best practices for such > >configurations. > > > >the situation is that a user who authenticates to apache via > >htpasswd has run a script a number of times in an attempt to mine > >a database. all of the user activity is already logged by apache > >and it is crystal clear that scripting is going on. i would like > >to stop this scripting in its tracks and here is what i am already > >looking at: > > > >- pf - use max-src-X to stop this behavior and log it at the firewall > > > >- apache - less clear on what tools are best, possibly mod_security stuff > > > >the sort of behavior that suggests scripting is more than ~20 http > >requests in 120 seconds, in this case all from one ip and using a > >single apache/htpasswd username. > > > >i'm looking for some guidance both on which dials to set and where > >to set them. i am already aware of the max-src settings but do not > >know which ones would be best to set here or a prescription for > >finding the right numbers to dial in. with apache i am much more > >clueless and believe that the trouble behavior being limited to a > >single apache user might be helpful in terms of countermeasures. > > > >cheers, > >jake > > > Some more details would be helpful. > Is this a user who otherwise has a right to access other stuff? > If not, just block that IP address completely with pf. > I have a table in pf called badhosts. > I have a script that scans error_log for certain bad behaviors and > adds those IPs to badhosts table. > Just scan for these things an access_log and/or error_log and block > it from any address that shows up. > > If this user is allowed, but just behaving badly, that is a little > harder to fix.
Well, I can only really see one of two ways that this can go, regarding the business side of things: 1) either the OP runs the server on his own basis, in which case he can remove the user at his own discretion, or 2) the user is subject to some sort of usage agreement which includes some sort of "don't hax our shitz" clause, for which that account can be suspended with cause Either way, what are you doing allowing someone you *know* is trying to break into your system to have access there? The user is also potentially committing a crime, depending on the various jurisdictions involved.
