> I don't think bruteforce will be helpful in my case. I do occasionally > get bruteforce attacks, but not very often. > What I usually get are identical attacks of a certain set of variations > of URLs from one IP address. A little later the same thing from another > IP, then another, etc. > > One of the reasons I am thinking of a mod_perl solution is that mod_perl > can step in very early in the Apache process. All kinds of things can be > done long before normal access is available to other processes. > But I have no experience using any of these parts of mod_perl. I have > only used later functions in the cycle.
You can look in the archive. I did and continue to do some where Appache is still in use a redirect instead to the origin. You can sure redirect to some well funded government agency instead if you like as it is faster for them to react to attack on themselves oppose to you reporting them. Just a funny thought. The only part is this setup works very well and is pretty darn efficient too, but it also mean you need to add to your filters time to time when you see something new in your logs. You could even redirect to the origin anything that is NOT valid on your site if you want, not sure that's a good idea, may well be stupid one, but that's up to you if you run your own site. Just a thought. Anyway, look in this thread, I put plenty of examples 11 years ago using Apache rewite mod. https://marc.info/?l=openbsd-misc&m=110745960831277&w=2 or the start of the thread https://marc.info/?t=110745731900004&r=1&w=2 Some even push the idea to redirect them to various government agency. After all that's just your tax dollar at work isn't it.... I just do not do this for ethical reason, but as you see many see it differently. For me, I return them to the origin instead, or drop it. I did also add n the pass a log to sql for bad url to get feedback in real time by doing a redirect to a simple sh script to log directly in the database, just to suppose high volume, but you can do the same with php only if your traffic level is high but not huge. Up to you. Plenty of ideas on the subject and it is limited only by your imagination of how aggressive you want to be. https://marc.info/?l=openbsd-misc&m=110772972803127&w=2 Anyway, that was 11 years ago and was working very well and still do well if you still use Apache and is all easy to use and setup. And I can say it is surprisingly very efficient too, specially if you redirect it to the right location. Looks like some attack are welling to go attack who ever, but when they are redirected to big bad boys, curiously the attack on you stop as I can only guess they do no like to be send back on places that have resources to fight back I guess. (:' In any case, this was a very old idea I put to work long ago, I am sure if you want you can improve on it. I never used PERL for this as the volume I was dealing with at the time was way to high for it, but in a decade, servers improve in performance as well, your mileages may vary. Have fun! Daniel