[oclug] Apache anti-abuse
rod at giffinscientific.com
rod at giffinscientific.com
Fri Aug 23 09:13:15 EDT 2002
David F. Skoll wrote:
> My Web server was attacked on the 21st and 22nd August, with some
> bozo at Ottawa-HSE-ppp262070.sympatico.ca hitting me over 480,000
> times with ApacheBench.
>
> This is the second time something like this has happened, so I wrote
> this little protection script. Run it every 5 minutes from cron, feeding
> it your Apache log file as input. It firewalls off hosts who hit you
> too often (default is if 250 hits of the last 1000 are from the same host,
> you're out.)
This is interesting. If you modify the script to look for the signatures of attacks (because sometimes heavy web usage is just a sign of interest in your website) you have a very powerful tool.
Might a user surfing your web site at 4:30 in the morning accidentally trigger the script threshold?
How about sudden interest in your website from a potential client who uses proxy servers. Could that accidentaly trigger the script?
Rod.
More information about the OCLUG
mailing list