httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ray Morris <supp...@bettercgi.com>
Subject Re: Request Filter (now off topic)
Date Thu, 05 Jun 2008 20:46:26 GMT
   This is a little off the topic of Apache module 
development, but it's perhaps a better solution to 
the problem posed which the questioner mentioned 
rather than using an Apache module.

> what i'm doing right now is: using the error log pipe 
> to check for for suspicious errors. if enough errors 
> happened i call iptables -A INPUT -d DROP -j 'IP'.
> 
> for me doing all checks with a apache module seems to 
> be more 'cleaner'.

   I'm doing the exact same thing and it's "cleaner" that 
way in one important sense.  What I found is that the 
people attacking http also attack, often as a dictionary 
attack, pop3, imap, ssh, and ftp.  They will use pop3 to 
test a user name and password which they will then use to 
log in via ssh or ftp.  I use the exact same code to monitor 
the error logs for each service, with just a couple of 
variables changed to monitor the service.  Using the same 
code for all five daemons is cleaner than writing one 
module for Apache, a very different one for ssh, another 
that's quite different for pop3, then one for imap, and 
yet more completely different code to integrate with the  
ftp server.

   Totally off the topic of Apache, I also noticed something 
about the iptables statement you're using.  You said you're 
using:
iptables -A INPUT -d DROP -j 'IP'

  That's fine as long as their are only a couple of IPs, 
but we often see a distributed brute attack using 1,500 
proxies or more, as that's easy to do using freely available
software these days.  Each packet only carries less that 1.5k
on most servers, so a busy server moves a lot of packets in 
a short time and checking each packet against a list of 1,500 
IPs is a big waste of overhead.  Instead, we only check the 
FIRST packet of each new connection, using code like.
In the input chain, a single check gives us the first packet
of each connection, which we send on to be checked against
the large list of IPs:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  OurAdminIP           0.0.0.0/0           tcp 
sshd_brute all  --  0.0.0.0/0            0.0.0.0/0           state NEW

Then we add IPs to the sshd_brute chain using:
system("$iptables", '-A', 'sshd_brute', '-s', "$ip", '-j', 'DROP');

   We're in the business of detecting and stopping brute
force and dictionary attacks, so we've spent some time 
trying to get this right.  You may certainly have some 
good ideas we haven't thought of, though.
--
Ray B. Morris
support@bettercgi.com


On 06/05/2008 09:38:17 AM, living liquid | Christian Meisinger wrote:
> > What you've got looks more complex than it should be (but I'm
> > not spending the time to go through it in detail).
> > 
> > 1.  That's not a filter in Apache terminology.
> > 2.  You're basically doing the same as mod_access/mod_authz_host
> >     but using a different lookup.
> > 3.  mod_rewrite can already do what you're looking for.
> >     If you want to drive it from SQL, you can use
> >     RewriteMap "dbd:your-SQL-query"
> > 
> 
> what i'm doing right now is: using the error log pipe to check for
> for suspicious errors.
> if enough errors happened i call
> iptables -A INPUT -d DROP -j 'IP'.
> 
> for me doing all checks with a apache module seems to be more
> 'cleaner'.
> 



Mime
View raw message