How about fail2ban? *From http://www.fail2ban.org/wiki/index.php/Main_Page <http://www.fail2ban.org/wiki/index.php/Main_Page> :* *Fail2ban* scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other *action* (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with *filters* for various services (apache, courier, ssh, etc).
Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services. On Wed, Jun 4, 2014 at 10:57 AM, <[email protected]> wrote: > Keith, > > If you pair modsecurity with CSF you can accomplish your goal without much > customization. I'd also recommend subscribing to the Atomic mod security > rules. A subscription is only ~$15 a month and the rules are updated > almost daily. > > http://www.atomicorp.com/products/modsecurity.html > > Kevin > > On Wed, 4 Jun 2014, Keith Lofstrom wrote: > > > Any modsecurity gurus on the list? > > > > I run many moinmoin wikis on my underpowered virtual server. > > Lately, I have seen the load average climb towards 80 (!) when > > the bots are attacking. 95% of the attempts are associated > > with html GET and POST requests for three actions: "phpMyAdmin" > > (which I don't run), newaccount, and login. > > > > It looks like modsecurity for apache is the right way to > > process these, but I don't have much time to learn about it. > > I've found some old howtos. They don't tell me how to do > > what I want, which is more than just make a decision to > > proceed based on a single isolated request. > > > > What I think I want to do is append the offending IP addresses > > into /etc/hosts.deny , like I do with denyhosts for sshd. > > hosts.deny is light-weight compared to firing up apache > > and moinmoin for each query. > > > > Perhaps I can detect the above three text patterns, with > > some kind of rate limit. Say 3 attempts from a given IP > > address to phpMyAdmin or newaccount within one hour (some > > may be honest mistakes), 10 attempts to login (some may > > be legitimate). But how? > > > > Keith > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
