[EMAIL PROTECTED] wrote: > I'm getting tired of the various things hitting my web server for things that > don't exist. Last night someone tried over 3000 things off my server and > only got back 5 valid pages which is the system home page. > > I've found both breakinguard and denyhosts to be very useful tools > for stopping SSH brute force attacks. I'm thinking along those same > lines. If bad-client tries over X web pages against my server, I no > longer care to talk to them. Drop in an ip table shun and let them > find some other server to poke at. > > This would close down a number of the sql injectors, scanners, etc. > > I'm sure I could modify the above to do what I want, but if someone > has already done the work, why re-invent?
Perhaps adding a module to OSSEC would do what you want? It has the shell scripts to add hosts to your host-based firewall, and is triggered by log messages (and other items). It also has the hooks to take things out of iptables/your-host-firewall-of-choice. I've been running just the "stock" version for a while, and it is doing a good job of IP shunning the many SSH password guessing attacks. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
