I use the default rules (running on a RedHat 5, os and Apache have been hardened) and average about 5-10 active responses per day. The only non-standard setting currently used is that I've increased the the timeout from 10 minutes to 90 minutes for any triggered active responses. BTW, ossec (active response) has stopped several DOS against the server.
Aaron On Wed, Oct 13, 2010 at 1:21 PM, Toby <[email protected]> wrote: > I'd like to get some input about if any of you use Active Response on > a public facing web server. If so, then do you tweak the rules, or use > the default settings? In particular, I have two concerns: > > 1. One malicious person or bot behind a NAT could make my web server > unavailable to everyone else behind the same NAT. > > 2. With IP spoofing, a DoS method could be to programatically attack > the web server while spoofing perhaps hundreds of thousands of IP > addresses. Since my web site is specific to my county, it would not be > difficult for an attacker to limit his spoofs to the IP ranges owned > by the two most prominent ISP's in the area. > > Thanks, > Toby
