On 2026-05-13 12:08, Rich Bowen wrote:
On May 13, 2026, at 11:34 AM, Paul <[email protected]> wrote:
We tried this, but our "abusers", a well distributed attack, were spoofing the
referer. I've stopped (dropped) them at the moment with a rather ugly bit of logic in the
perl/cgi, but if they're serious, it won't take them long to wake up.
I’d also recommend that you solve this at a different layer. Using fail2ban to
detect abuse, and then block it at the firewall, is fairly easy to set up with
mod_security, and solves a lot of adjacent problems too.
Rich, thanks. I'll look into it and compare with what we already have
(e.g securicata and Proofpoint Emerging Threats (ET) Rules and a couple
more at router level) where obviously there is very limited personalization.
Our problem is that the attacks are very widely distributed. I've just
reviewed today's logs for this particular POST attempt, and out of 727
attempts, there are 719 unique IPs.
I've had a look at your page and we'll definitely retain the thinking
within our remediation plan
Again tnx and br,
Paul.
I have a recipe for that at
https://drbacchus.com/fail2ban-filter-block-based-on-mod_security-failures/
which sets up the integration between mod_sec and fail2ban, and I’m using to
detect common attacks that don’t necessarily come from a single known address.
—
Rich Bowen
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
