In my opinion, the appropriate thing to do here is drop the connection (so most clients would time out) for bad requests, along with a short term ip "block" for stuff that becomes real problems. Not a true block, though, but instead a fixed content "your address is being used as a part of a hostile action, please try again later" type message in place of legit content.
In this context, a bad request (enough to drop the connection) is a request for a url pattern which your site does not host. To trigger the block you'd need something more obviously malicious. I don't think modperl is going to be able to help you with that, yet. You (or someone else) would need to do some significant groundwork, first. I hope this helps (but I know it's inadequate), Thanks, -- Raul -- Raul On Wed, Sep 28, 2016 at 1:20 PM, Chris Bennett <chrisbenn...@bennettconstruction.us> wrote: > I am not sure what is appropriate, given netiqette and practicality for > my server. I am sick of thousands of identical requests in my error log, > plus I want to be able to look over my logs easily to find any real > problems. > > Below is a copy of the question I sent to modp...@perl.apache.org > So far they have never answered any questions I have asked. > > > Right now I am using a simple script from the error log to block > permanently any requests from that IP using OpenBSD pf. > > That simply doesn't work well enough anymore due to the time lag between > 20+ requests at once getting to the log file. > > OpenBSD no longer uses Apache 1 so I am going to move to Apache 2 and > study how to make the changes, so now is a great time for me to move in > anything new that I haven't used before. > > Right now I have a list of regexes for attack URL's and requests for > anything with cgi or php in them, which I don't use. > > At first glance, it seems to me that setting up a filter to use to block > anything in my ever growing list seems appropriate. Right or wrong? > > If that's right, what should I do to these requests? I would prefer to > not build up a set of IP addresses to block since they may be forged > addresses and a real user might get blocked later on. Plus, I > occasionally screw up and block my own IP address so I keep an SSH > session open before experimenting. > > Or am I looking at this wrong? > Any help appreciated. > > Chris Bennett
