> On May 13, 2026, at 11:34 AM, Paul <[email protected]> wrote:
>
>
> We tried this, but our "abusers", a well distributed attack, were spoofing
> the referer. I've stopped (dropped) them at the moment with a rather ugly bit
> of logic in the perl/cgi, but if they're serious, it won't take them long to
> wake up.
I’d also recommend that you solve this at a different layer. Using fail2ban to
detect abuse, and then block it at the firewall, is fairly easy to set up with
mod_security, and solves a lot of adjacent problems too.
I have a recipe for that at
https://drbacchus.com/fail2ban-filter-block-based-on-mod_security-failures/
which sets up the integration between mod_sec and fail2ban, and I’m using to
detect common attacks that don’t necessarily come from a single known address.
—
Rich Bowen
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
