Keith, If you pair modsecurity with CSF you can accomplish your goal without much customization. I'd also recommend subscribing to the Atomic mod security rules. A subscription is only ~$15 a month and the rules are updated almost daily.
http://www.atomicorp.com/products/modsecurity.html Kevin On Wed, 4 Jun 2014, Keith Lofstrom wrote: > Any modsecurity gurus on the list? > > I run many moinmoin wikis on my underpowered virtual server. > Lately, I have seen the load average climb towards 80 (!) when > the bots are attacking. 95% of the attempts are associated > with html GET and POST requests for three actions: "phpMyAdmin" > (which I don't run), newaccount, and login. > > It looks like modsecurity for apache is the right way to > process these, but I don't have much time to learn about it. > I've found some old howtos. They don't tell me how to do > what I want, which is more than just make a decision to > proceed based on a single isolated request. > > What I think I want to do is append the offending IP addresses > into /etc/hosts.deny , like I do with denyhosts for sshd. > hosts.deny is light-weight compared to firing up apache > and moinmoin for each query. > > Perhaps I can detect the above three text patterns, with > some kind of rate limit. Say 3 attempts from a given IP > address to phpMyAdmin or newaccount within one hour (some > may be honest mistakes), 10 attempts to login (some may > be legitimate). But how? > > Keith _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
