On Sat, 2011-08-20 at 22:43 -0500, Barry Brimer wrote:
When a web site is attacked, so far by unsuccessful hackers, my error routine adds the attackers IP address, prefixed by 'deny', to that web site's .htaccess file. It works and the attacker, on second and subsequent attacks, gets a 403 error response.
Have you looked at mod_evasive? http://www.zdziarski.com/blog/?page_id=442
Thank you for the suggestion. I have just looked at it and see:-
* Requesting the same page more than a few times per second
* Making more than 50 concurrent requests on the same child per second
* Making any requests while temporarily blacklisted ...
My requirement, based on observations, is to instantly cut-off the IP's access as soon a wrong URL is entered. When a web page error occurs it is handled by a PHP routine. Two sets of checks show whether it was an 'innocent' mistake or a known hacking attempt. Currently known hacking attempts are blocked at the web site's .htaccess file.
mod_evasive lacks the ability to compare the erroneous page request and then take action. Clive's helpful /etc/sudoers suggestion overnight seems ideal because (if it works for my routine) it will let me block an IP address at iptables and limit that blocking to a port.
My check list has a 104 'words' which cause an IP address to be blocked. When my revised system is working satisfactorily with whole server blocking I will publish the details on the web.