[Dshield] A Couple of New Apache Hack Patterns

David Cary Hart DShield at TQMcube.com
Fri Dec 16 15:39:39 GMT 2005

On Thu, 15 Dec 2005 20:47:39 -0500
jayjwa <jayjwa at atr2.ath.cx> opined:
> On Wed, 14 Dec 2005, David Cary Hart wrote:
> -> The strategy I am using these days is to SWATCH the patterns -> rewrite
> -> rule to hacker.php -> firewall rule. The purpose of the interim
> -> hacker.php is to provide information just in case of a false positive.
> -> Hacker.php then writes a unique line to access_log which swatch
> -> recognizes to trigger the firewall rule.
> > 
> You didn't try the mod_security? http://www.modsecurity.org/
I have and it is expensive. The swatch deamons consume no bandwidth and do not interfere with the responsiveness of Apache. I have since modified this to remove the rewrite and go directly to the firewall rule with an email advisory.

           Eliminate Spam: http://www.TQMcube.com/spam_trap.php
          Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
            Zombie Graphs: http://www.TQMcube.com/zombies.php
              GeoGraphics: http://www.TQMcube.com/origins.php

More information about the list mailing list