Re: [mod-security-users] Block policy for malicious hosts
Brought to you by:
victorhora,
zimmerletw
From: Reindl H. <h.r...@th...> - 2017-06-07 23:02:01
|
Am 07.06.2017 um 23:39 schrieb J Doe: > I was wondering what action policy people use when they have a malicious host connect to their web server. > > As I understand, there are four options from ModSec 2.9.1 [1]: > > -- "deny" with status page (ie. HTTP 404, 403, etc. pages) > -- "deny" with no status page > -- "drop" > -- Using @ipMatch/@ipMatchFromFile with "drop" or "deny" [2] > > To make my web server less attractive, I was thinking that "drop" was the best solution, as hopefully the malicious host will conclude there isn't a web server at all - the connection terminates [3]. > > My concern with status pages is: > > -- 404 still indicates there is a server, just that the request resource is not found > -- 403 gives the impression of a protected service, which might invite more attacks > > What do most people use when the host connecting is known to be malicious ? 403 or 400 - most bots are not smart enough to care about anything else than non 2xx/non-3xx and that's not only in case of webservers - i have seen bots trying dicitionary attacks on smtp servers which where even sucessful but after the outbound spmasaasin-milter recjted the data - guess what the bot did: continue with the dictionary attack |