Hi Valeri, > On Fri, September 26, 2014 8:32 pm, Always Learning wrote: > > Don't use cgi. Have no /cgi directory. Don't load mod_cgi > > > > Bash is patched (updated to new version). Automatically bloke IPs of > > anyone trying to hack Apache. Am I safe ? > You are. But if you run the server you do want to serve what you want to > serve. Now, imagine hotel, everybody in it is behind a single router. One > person has hacked machine that tried to tap into your server. You block > the IP, therefore everyone in Hotel... Now do you want to serve it? If not > why to start Apache at all? However, my case is different. If servers of > our Departments don't serve anything [we need] to everybody, they do not > need me, sysadmin, desktop support guy will be more suitable (and probably > less expensive). If a hacker, always using someone else's compromised computer, attempts to break-in, their IP is blocked for all traffic within about 1 second. Yes that means one hacked computer's IP address is blocked for mail and web. I decline to let the hacker have repeated attempts to hack into, or abuse, any of my web sites. If there are only a few access attempts after the IP address is blocked, the ban will expire monthly. If there are very many attempts, then the ban will expire about 3 weeks after the attempts stop. If this inconvenience's an innocent web user, I have neither ability to detect the inconvenience nor to determine the user's innocence. I understand your hotel analogue. In England many hotel guests use their mobile phones or tablets - not on wifi but on direct radio (mobile telephone) links; each link having a distinctive IP address. If the web hacker is operating through a data centre, then I permanently block, for port 80, the whole of the data centre's known IP block. The alternative is to be a willing victim. Best regards, Paul England - the USA's government's pet European poodle.