Re: [mod-security-users] Automatically Add to Deny Hosts
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Automatically Add to Deny Hosts
|
From: Ivan R. <iv...@we...> - 2006-02-16 09:41:06
|
John Thomas wrote: > I would like to ban people that break too many mod security rules. I > see, in my error logs, machines breaking 20-50 rules at a time. These, > in my view, seem to be some script looking for a known vulnerability. > > Is there a way to automagically add these *&*&^ to my host.deny file? Not without a little bit of work: you could configure SEC (Simple Event Correlator) to watch the error log and act on the information seen there. I am planning to add similar functionality to httpd-guardian pretty soon though. This script can already protect the web server from DoS attacks and I'll extend it to track rule violations per IP address too. Once a violation is established it can block the offending IP address on the firewall level (either locally, using iptables or pf, or remote, via SnortSam). The interesting thing about httpd-guardian is that it can also receive data via Spread - making it a possible solution for web server clusters too. -- Ivan Ristic, Technical Director Thinking Stone, http://www.thinkingstone.com ModSecurity: Open source Web Application Firewall |
