Date: Wed, 19 Mar 2003 20:58:49 +0200 From: "Nikolay Y. Orlyuk" <nikolay@asu.ntu-kpi.kiev.ua> To: freebsd-questions@freebsd.org Subject: Re: Block requests based on repeated failed httpd login attempts Message-ID: <20030319185849.GD99728@asu.ntu-kpi.kiev.ua> In-Reply-To: <DBEIKNMKGOBGNDHAAKGNGENEKHAB.dave@hawk-systems.com> References: <DBEIKNMKGOBGNDHAAKGNGENEKHAB.dave@hawk-systems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 19, 2003 at 07:55:05AM -0500, Dave [Hawk-Systems] wrote: > Had a situation with a user trying to gain access to an htaccess protected > directory. > > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user cobras not found: > /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user loredana not > found: /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user steve not found: > /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user e not found: > /members/members.htm > [Sun Feb 23 06:31:00 2003] [error] [client 208.10.47.119] user horno not found: > /members/members.htm > ... > > This user will never gain access to the directory using this method just given > the password and userid scheme that this hosting client is using. The fact that > this schmuck bangs away for hours (as have others over the past 6 months) is > annoying though. > > Is there a port or methodology to parse for such action and ban the IP address > from making further attempts for X hours (all automated of course). Oh I like such tasks. :) I have almost like this situatation with ICQ rotor. I used timeout which experementally was defined. In this case will reasonable to use scoring for each IP. As variant you may look for intervals like score_delta = weight/interval, and sum score_delta by IP's. To threat moment in this letter simply populate groups (only one IP in whole group) by requests which have timedistance to nearest (by time) request in group lower than some boundary. Then calculate count and total interval in which group is placed. score = weight*group_count/group_time, or set boundary of count of requests per group. which will have biggest score will be unwanted IP's For parsing I'll recomend perl. > > -- With best wishes Nikolay mail: nikolay@asu.ntu-kpi.kiev.ua To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030319185849.GD99728>