On Mon, 2011-08-29 at 13:35 -0500, Les Mikesell wrote:
For light use you could drop in VMware server or player or virtualbox without much effect on the current system. It shouldn't be necessary, though, unless you'd like to install otherwise conflicting rpm packages or give root access to someone on the virtual server only.
I've use Virtual Box successfully for Windoze 98 to run Ami Pro 3.1.
So why can't you do that for your new virtualhost instead of running on a different IP?
A mentally deranged lunatic has sent 30,000+ wrong URLs to a tiny web site. Its started about 5 August but significantly escalated on 22 August.
My Apache routine can add the IPs to iptables and block them. Since 22 August the lunatic has used over 100 different IPs from around the world to send those wrong URLs which always seem to include one of these:-
forgotten_password.php
login.php
contact.php
Assigning a spare IP address to this small web site should make it easier for me to experiment with IP tables and examine TCP packets without disturbing the server's normal workings. For example no valid HTTP request sent to that IP address should contain 'pas' or 'log' or 'con' so if I detect these the packets can be dropped - that is the theory. With dropped packets I lose the ability to easily record IP address and host name. However my web page has over 100 entries of machines compromised in the current abuse, so loosing new details is worth the satisfaction of blocking the loony.
If you are just firewalling there, apache can permit/deny ip ranges on its own for a location or virtualhost.
I don't know which IP address to block until at least one 'hit'. For low level abuse, I use a routine to add 'Deny from' to the site's .htaccess file. An IP blocked with this method can still access HTTPD where it will receive a 403 rejection. Thus successful blocks still involve the web server.
By filtering in IP tables by IP and then port, I can try to identity those keywords: con, pas, log and, if successful, drop the packets. Packet length, used by this lunatic, with a very few exceptions, is 60 bytes, so I could potentially identify the required 3-byte fragments.
It is amazing so many machines can be broken-into or misused by one deranged lunatic. I wonder if those machines run on Windoze.
Paul.