Any modsecurity gurus on the list? I run many moinmoin wikis on my underpowered virtual server. Lately, I have seen the load average climb towards 80 (!) when the bots are attacking. 95% of the attempts are associated with html GET and POST requests for three actions: "phpMyAdmin" (which I don't run), newaccount, and login.
It looks like modsecurity for apache is the right way to process these, but I don't have much time to learn about it. I've found some old howtos. They don't tell me how to do what I want, which is more than just make a decision to proceed based on a single isolated request. What I think I want to do is append the offending IP addresses into /etc/hosts.deny , like I do with denyhosts for sshd. hosts.deny is light-weight compared to firing up apache and moinmoin for each query. Perhaps I can detect the above three text patterns, with some kind of rate limit. Say 3 attempts from a given IP address to phpMyAdmin or newaccount within one hour (some may be honest mistakes), 10 attempts to login (some may be legitimate). But how? Keith -- Keith Lofstrom [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
