[oclug] Apache anti-abuse
Bart Trojanowski
bart-oclug at jukie.net
Fri Aug 23 10:19:18 EDT 2002
* rod at giffinscientific.com <rod at giffinscientific.com> [020823 09:55]:
> David, this is interesting and awfully timely too, considering that at
> the moment, I'm with a client who appears to be being attacked by
> Nimda/Code Red 2 or something similar, since Aug 19th. The number of
> requests/second they are receiving, and the number of IP addresses
> involved appear to be increasing exponentialy. Although it is not yet
> serious, and it's really only an annoyance at this point, it is likely
> if unchecked to become a serious problem within a couple of days.
> Their network admins may find your script, or something like it very
> handy shortly. I'll be sure to let them know who it's from :)
For actual attacks I would recommend 'snort' and 'guardian.pl'. The
first detects attacks in pseudo-real-time, the later reads through
snort alert logs and launches a script. Mine just simply does an
iptables drop for the attacking IP.
B.
--
WebSig: http://www.jukie.net/~bart/sig/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20020823/a02b0ff0/attachment.bin
More information about the OCLUG
mailing list