[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] consistently pounded

Subject: Re: [cobalt-security] consistently pounded
From: Adam Crews <doo@xxxxxxxxxx>
Date: Tue, 23 May 2000 20:41:39 -0700 (PDT)

This sort of thing is usually handled above the application level.  I have
my firewall configured to do this sort of thing, but not for the http
port ( I do it on pop, imap and ssh).  It is difficult to determine what
is an attack and what is legitimate traffic.

It shouldnt be too hard to write a little program in perl to monitor the
logs, and automatically fix up the .htaccess files if certian conditions
happen...  

-Adam

On Tue, 23 May 2000, Theodore Jones wrote:

  | Date: Tue, 23 May 2000 20:21:57 -0700
  | From: Theodore Jones <theoj@xxxxxxxxxxxxx>
  | Reply-To: cobalt-security@xxxxxxxxxxxxxxx
  | To: cobalt-security@xxxxxxxxxxxxxxx
  | Subject: Re: [cobalt-security] consistently pounded
  | 
  | 
  | So why isn't there a siimple way to have a script watch the error log report
  | and just add certain IP numbers to the hosts.deny file...?
  | 
  | ~ Theo
  | 
  | 
  | 
  | Adam Crews wrote:
  | 
  | > On Tue, 23 May 2000, Theodore Jones wrote:
  | >
  | >   | >
  | >   | >         2) You can install tcp wrappers (you really ought to have
  | >   | > 'em running anyway), configure them to monitor the httpd port and
  | >   | > add the bums to your hosts.deny file.
  | >
  | > I would strongly discourage tcp wrappers on the http port. You will get a
  | > huge performance hit.  one of the ways that a web server an be so fast is
  | > because it has several daemons running and waiting for connections.  If
  | > you tcpwrapper this, you can no longer do this.  Now, before the web
  | > daemon can even start up, it must pass the tcpwrappers, then it must load
  | > and parce the http config file (very slow if you have virtual hosts), and
  | > finally the http daemon wont take advantage of the ability to do multiple
  | > requests down a single connection.   Every request for an image, page,
  | > ect.. will result in a tcpwrapper lookup, and the spawning of another http
  | > daemon.  Also if you have any dns slowness at all, tcpwrappers will take
  | > to long to spawn the web daemon.
  | >
  | > -Adam
  | >
  | > _______________________________________________
  | > cobalt-security mailing list
  | > cobalt-security@xxxxxxxxxxxxxxx
  | > http://list.cobalt.com/mailman/listinfo/cobalt-security
  | 
  | 
  | _______________________________________________
  | cobalt-security mailing list
  | cobalt-security@xxxxxxxxxxxxxxx
  | http://list.cobalt.com/mailman/listinfo/cobalt-security
  |

References:
- Re: [cobalt-security] consistently pounded
  - From: Theodore Jones

Prev by Date: Re: [cobalt-security] consistently pounded
Next by Date: Re: [cobalt-security] consistently pounded
Previous by thread: Re: [cobalt-security] consistently pounded
Next by thread: Re: [cobalt-security] consistently pounded

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index