Banning IPs from Apache?

[nmeyers at javalinux.net (nmeyers at javalinux.net)]

On Wed, Feb 11, 2004 at 11:01:03AM -0500, Keller, Tim wrote:
> Bob,
> 
> What you could do is write a perl script that would just watch your error
> logs and then add a rule to iptables to just block that IP...

Take a look at snort - from your description, it may be the right tool
for the job. It's not a packet-level firewall, it's a "network intrusion
detection engine" that can detect and stop traffic based on known attack
signatures - just the sort of thing you're trying to accomplish.

  http://www.snort.org

Nathan

> 
> Tim.
> 
> I have sworn upon the altar of God eternal hostility against every form of
> tyranny over the mind of man. -- T. Jefferson
> 
> -----Original Message-----
> From: Bob George [mailto:mailings02 at ttlexceeded.com]
> Sent: Wednesday, February 11, 2004 9:39 AM
> To: Boston Linux Users Group
> Subject: Re: Banning IPs from Apache?
> 
> 
> Duane Morin <dmorin at lear.morinfamily.com> wrote:
> > Recently I'm experiencing nasty load problems on my home web
> > server for reasons I have yet to determine.  But I do see that
> > my access logs are full of the usual worm traffic.  Can
> > somebody point me in the right direction (or just give me the
> > quick tutorial) on whether I can tell Linux or Apache ASAP
> > "here's a bunch of IPs that I dont want you to respond to at
> > all?"  What's the optimal way of making sure that these hits
> > don't kill your server (or even interfere with its usual
> > operation)?
> 
> Stupid question, but how do you know in advance where hits from worms will
> come
> from? Or are you getting massive hits from the same addresses repeatedly?
> 
> - Bob
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 
> 

--