[CentOS] Apache attacks - you can't stop them, or can you?

Wed Mar 6 18:49:13 UTC 2013
Gordon Messmer <yinyang at eburg.com>

On 03/06/2013 05:25 AM, Lorenzo Quatrini wrote:
> The "downside" of using fail2ban is that you will start receiving email about
> banned hosts; but that is configurable, as is the number of failed attempts
> before being banned.

The other down side is that if you set up a new virtual host and don't 
put a favicon.ico file in its root, you'll ban every visitor with the 
configuration that you shared.

You'll also ban everyone that tries to visit a section of any site 
that's protected with HTTP authentication, regardless of whether or not 
they are a legitimate user.

404s are not uncommon, and should not be used as the sole basis for 
blocking.

Rule processing can become very CPU intensive if the list becomes long. 
  Using fail2ban for HTTP will work on relatively unknown servers, but 
once a server has been running long enough to be frequently scanned, you 
probably will find that your kernel spends a lot of time checking the 
firewall for every new TCP connection.

The best way to defend an HTTP server is to serve only static content. 
If you have non-static content, protect it with HTTP AUTH.  If you have 
non-static content that must be publicly accessible, keep it up to date 
and consider the use of an external IDS like Snort.  It's $500/year for 
the intrusion definitions IIRC, and well worth that.