Re: Dynamically banning hosts
Mustafa Tan wrote: Is it possible to dynamically ban IP addresses using mod_perl. Like even the first connection from the specified ip will be rejected. I know that you can do this using httpd.conf but I am wondering how to do the same dynamically while Apache is running. Also how can I cope with denial of service attacks? I know there is no general solution to this, but is there a particular technique to ease the problem. The environment is one host that serves small number of people with a very limited bandwidth. in mod_perl 2.0 you can do it even better: http://perl.apache.org/docs/2.0/user/handlers/protocols.html#PerlPreConnectionHandler or during the normal mp1-like handler: http://perl.apache.org/docs/2.0/user/handlers/http.html#toc_PerlAccessHandler __ Stas BekmanJAm_pH -- Just Another mod_perl Hacker http://stason.org/ mod_perl Guide --- http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
Re: Dynamically banning hosts
On Fri, 2003-07-11 at 22:33, Mustafa Tan wrote: Is it possible to dynamically ban IP addresses using mod_perl. [...] Also how can I cope with denial of service attacks? Randal has a column that shows a technique for dealing with this: http://www.stonehenge.com/merlyn/LinuxMag/col17.html You can adapt it to your needs. - Perrin
RE: Dynamically banning hosts
Hi Mustafa -- Is it possible to dynamically ban IP addresses using mod_perl. Like even the first connection from the specified ip will be rejected. I know that you can do this using httpd.conf but I am wondering how to do the same dynamically while Apache is running. Yes, it is possible with mod_perl. You can create a PerlAccessHandler which allows or denies access for a particular client based on some logic. The Access phased is the appropriate place for such a handler. Also how can I cope with denial of service attacks? I know there is no general solution to this, but is there a particular technique to ease the problem. The environment is one host that serves small number of people with a very limited bandwidth. I don't know of any particular CPAN module which would detect a DOS attack. There have been a few specialized modules, such as Apache::CodeRed, but I don't think that's what you're looking for. If you can define the nature of the attack, you can write code to defend against it. Mod_perl can definitely allow you to add logic at the right time to implement such a defense. Warmest regards, -Jesse- -- Jesse Erlbaum The Erlbaum Group [EMAIL PROTECTED] Phone: 212-684-6161 Fax: 212-684-6226
RE: Dynamically banning hosts
Hi there, On Sat, 12 Jul 2003, Jesse Erlbaum wrote: Is it possible to dynamically ban IP addresses using mod_perl. Yes, it is possible with mod_perl. You can create a PerlAccessHandler In addition to Jesses's comments, I'd suggest that you might want to look at firewalling techniques to eliminate the requests before they ever reach your server. If your mod_perl server is doing the access denial, then there has already been a lot of processor activity wasted on the attack. Something like IPCop is freely available, easy to configure (if you avoid pitfalls with multiple Ethernet cards being shuffled:) and very effective. But there is no easy solution to a determined DOS attack on an open IP. 73, Ged.
