RE: [users@httpd] Is there a way to intercept all IP accesses in real time?
David, I'm probably being pedantic, but I don't think you are looking for a literal "real time" system, just something that operates quickly. A legitimate real time system can guarantee response to an interrupt within a specified length of time. People often confuse this with being fast, but they aren't really the same thing. I think you might be able to accomplish your goals with some high quality log analysis software. Since all the threads write to the same logs, checking the logs takes care of the multiple thread issue. If that doesn't sound fast enough, you might look to see if any of the switches or routers in your network have hacking detection software that can be installed or activated. This works faster than anything you could put on the server itself. Jeffrey Cauhape – IT Professional III – Linux and Solaris Administrator Nevada Department of Employment, Training and Rehabilitation (775) 684-3804 (office) jpcauh...@detr.nv.gov -Original Message- From: David Spector [mailto:david...@springtimesoftware.com] Sent: Thursday, November 1, 2018 7:05 AM To: users@httpd.apache.org Subject: [users@httpd] Is there a way to intercept all IP accesses in real time? I would like to write a short real-time PHP program to detect unusual or malicious access patterns to httpd under all OSs for the usual methods, such as GET and POST, the goal being to protect authentication procedures from being repeatedly tested by unauthorized visitors to websites. My understanding is that Apache generates a pool of worker processes to handle remote accesses to the server, so that accesses are processed efficiently and possibly concurrently if the OS supports process concurrency. So, I'm afraid if I simply write a PHP function that gets called at the start of displaying the home page of a website, it will intercept only a subset of the remote accesses, which would be insufficient for analyzing access patterns. Is there a way to have a piece of efficient real-time PHP code stay in memory (for efficiency, so its code and database can be resident in memory) and be called for every remote IP access? Its results (a short, often updated IP blacklist) could be sent to the website through a slower route or could be used right there in the real-time PHP code to block the access. David Spector Springtime Software - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Is there a way to intercept all IP accesses in real time?
On 11/01/2018 10:05 AM, David Spector wrote: efficient real-time PHP code There is no such thing. I am only aware of rt priority type code written in C and assembly. At least in the instrumentation and data collection field. dc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Is there a way to intercept all IP accesses in real time?
Op donderdag 1 november 2018 15:05:06 CET schreef David Spector: > I would like to write a short real-time PHP program to detect unusual or > malicious access patterns to httpd under all OSs for the usual methods, > such as GET and POST, the goal being to protect authentication > procedures from being repeatedly tested by unauthorized visitors to > websites. > > My understanding is that Apache generates a pool of worker processes to > handle remote accesses to the server, so that accesses are processed > efficiently and possibly concurrently if the OS supports process > concurrency. > > So, I'm afraid if I simply write a PHP function that gets called at the > start of displaying the home page of a website, it will intercept only a > subset of the remote accesses, which would be insufficient for analyzing > access patterns. > > Is there a way to have a piece of efficient real-time PHP code stay in > memory (for efficiency, so its code and database can be resident in > memory) and be called for every remote IP access? Its results (a short, > often updated IP blacklist) could be sent to the website through a > slower route or could be used right there in the real-time PHP code to > block the access. > > David Spector > Springtime Software > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org The SANS Instituut (dshield.org) has a honeypot system available: https://isc.sans.edu/honeypot.html This web page mentions that apache is being used, but this is no longer the case. The software uses a Python script to catch the communication with the http server. The software itself is available on GitHub. I have it running on the smallest Raspberry Pi, a 1B, together with a honeypot for telnet and ssh and firewall logging. Reports go to dshield.org. My modem/router forwards almost all TCP/UDP ports to the honeypot system. -- fr.gr. Freek de Kruijf - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
