There's Kickstarter's Rack::Attack if you're willing to "upgrade" to ie. Ruby on Rails:
https://github.com/kickstarter/rack-attack I find this quite nice along with those pf bruteforce tables mentioned earlier. Murk On Fri, Sep 30, 2016 at 12:54 AM, Daniel Ouellet <dan...@presscom.net> wrote: > > I don't think bruteforce will be helpful in my case. I do occasionally > > get bruteforce attacks, but not very often. > > What I usually get are identical attacks of a certain set of variations > > of URLs from one IP address. A little later the same thing from another > > IP, then another, etc. > > > > One of the reasons I am thinking of a mod_perl solution is that mod_perl > > can step in very early in the Apache process. All kinds of things can be > > done long before normal access is available to other processes. > > But I have no experience using any of these parts of mod_perl. I have > > only used later functions in the cycle. > > You can look in the archive. > > I did and continue to do some where Appache is still in use a redirect > instead to the origin. You can sure redirect to some well funded > government agency instead if you like as it is faster for them to react > to attack on themselves oppose to you reporting them. Just a funny > thought. The only part is this setup works very well and is pretty darn > efficient too, but it also mean you need to add to your filters time to > time when you see something new in your logs. > > You could even redirect to the origin anything that is NOT valid on your > site if you want, not sure that's a good idea, may well be stupid one, > but that's up to you if you run your own site. Just a thought. > > Anyway, look in this thread, I put plenty of examples 11 years ago using > Apache rewite mod. > > https://marc.info/?l=openbsd-misc&m=110745960831277&w=2 > > or the start of the thread > > https://marc.info/?t=110745731900004&r=1&w=2 > > Some even push the idea to redirect them to various government agency. > After all that's just your tax dollar at work isn't it.... I just do not > do this for ethical reason, but as you see many see it differently. > > For me, I return them to the origin instead, or drop it. > > I did also add n the pass a log to sql for bad url to get feedback in > real time by doing a redirect to a simple sh script to log directly in > the database, just to suppose high volume, but you can do the same with > php only if your traffic level is high but not huge. Up to you. Plenty > of ideas on the subject and it is limited only by your imagination of > how aggressive you want to be. > > https://marc.info/?l=openbsd-misc&m=110772972803127&w=2 > > Anyway, that was 11 years ago and was working very well and still do > well if you still use Apache and is all easy to use and setup. And I can > say it is surprisingly very efficient too, specially if you redirect it > to the right location. Looks like some attack are welling to go attack > who ever, but when they are redirected to big bad boys, curiously the > attack on you stop as I can only guess they do no like to be send back > on places that have resources to fight back I guess. (:' > > In any case, this was a very old idea I put to work long ago, I am sure > if you want you can improve on it. I never used PERL for this as the > volume I was dealing with at the time was way to high for it, but in a > decade, servers improve in performance as well, your mileages may vary. > > Have fun! > > Daniel
