On Wed, 2011-08-31 at 08:41 -0700, John R Pierce wrote:
On 08/31/11 8:22 AM, Always Learning wrote:
Looking at your example seems to suggest Fail2Ban is an 'after the event' response. I would like to implement 'before the event' filtering which prevents, even on the first detected hacking attempt, anything reaching HTTPD.
so you want another piece of software to parse the http protocol and analyze the traffic, before passing it on to your web server, which is going to parse the http protocol and deliver content? good luck with that.
No I do not want "another piece of software to parse the http protocol and analyze the traffic".
IT Tables, in which I have great confidence and trust, can do it.
Thank you for your 'good luck' wishes.
of course, to even consider doing such you would have to, in very precise terms, define exactly what comprises a 'hacking attempt'. do you give this filter a list of all valid URLs and trigger your block on any that aren't on that list?
My definition: a hacking attempt is deliberately, meaning not a typing error, sending an invalid web page request. Obviously one should exclude the 'standard' wrong URLs issued by some software like the M$ Office responses and crossdomain requests.
Inspection in IP Tables is performed before the data is passed to HTTPD. Therefore it is impossible to determine, at that point in the transmission process, the validity of incoming HTTP requests. Only HTTPD can decide that issue.
anyways, the design of such would better be discussed on a security tools mail list as its a very general topic, there's nothing here even remotely centos specific.
IP Tables is and Centos Ops or Sys Admins or others may wish to deploy the IP Tables blocking suggestion.
Paul.