Features Download
From: marty <marty <at> goodoldmarty.com>
Subject: Re: Using Mod_Security to add IPs to, hosts.deny
Newsgroups: gmane.comp.apache.mod-security.user
Date: Friday 1st August 2008 02:02:12 UTC (over 9 years ago)
> In looking at the error logs of our Debian LAMP server, a lot of the  
> intrusion attempts seem to start with a rapid scan of common locations  
> for a phpMyAdmin login.
> Thankfully, Mod_Security easily blocks this (for my own amusement I  
> put a redirect to www.phpmyadmin.net on those attempts, but since they  
> come from some automated tool, the redirects are undoubtedly not  
> executed...)
> But since such an attacker undoubtedly moves on to other strategy, I  
> would like to immediately block their access altogether by adding  
> their IP to hosts.deny in a similar manner as denyhosts.pl does for  
> ssh intrusion attemps, for example. That way all other ports such as  
> ftp etc would also be covered against this attacker.
> I suppose one would have to use the EXEC command and call a script to  
> achieve this (and the script would have to retrieve the IP from the  
> environment variables, since EXEC doesn't allow any arguments).
> I would be most grateful for any advice on whether this is even a good  
> idea, and what such a script would look like.
I answer this from personal experience, which has been good.
This is very annoying stuff for concerned admins.

(1) Those types of automated attacks are just looking for
low hanging fruit. But they do steal bandwidth.
Most of this activity comes from a few nasty netblocks that
can (and should) be banned without issues. Manual permanent
blocks are the most effective way to deal with this garbage.
Make friends with IPtables. That's not the work of mod_sec.

 This has proven very effective against some annoyance bots:

 iptables -N banned
 iptables -I FORWARD -j  banned
 iptables -I INPUT -j banned
 iptables -A banned -p tcp --sport 6000 -m state --state NEW
 iptables -A banned -p tcp --sport 12200 -m state --state

(2) Ivan wrote a small setuid program which will grab the
offenders IP from the environment; blacklist-webclient.c
This code is easy to modify and has worked nice for me.
You need to build it and hook rules to it.

(3) The above can be linked into your rules with the 'exec'
function something like this stuff:
SecRule &REQUEST_HEADERS:Host "@eq 0" \
exec:/usr/sbin/blacklist_webclient, msg:'Request Missing an
Accept Header-blacklisting client',id:'961234',

(4) Ivan also wrote a perl script that sets a timed block in
IPtables, when blacklist-webclient fires. You might want to
do it differently so read the docs first.

(6) those modsec redirects usually work, but we don't get to
see what happens. Just imagine a robot with a very stupid
look on it's face, and enjoy the moment:)

(7) You can easily modify your Apache configuration so
off-site arguments get rewritten and do nothing much anyway,
if you use a CMS or such. Enclose in Directory directive.

   RewriteEngine on
   RewriteBase /
   RewriteCond %{REQUEST_FILENAME} !-f
   RewriteCond %{REQUEST_FILENAME} !-d
   RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]

I hope some of that helps...

Marty B.

The only benefit from using other peoples software
is that is that you gain someone else to blame.
CD: 3ms