New Project on automatic IP Blacklisting based on Apache Logs: opinion asked

kthomeer · 03-20-2011, 01:41 PM

Hi,

I made a small project that makes an IP blacklist based on Apache Access Logs.

You can find it here:

http://blacklist.ict-health.be/

I made it because I couldn't find other ways to block the numerous access to my webserver for screening security holes. The system is totaly automatic.

What do you think about it? Is it usefull? Or are there better ways?

Sincerely,

Koen

alunduil · 03-20-2011, 08:34 PM

Would it have been possible to leverage fail2ban to accomplish this as well? I've never had good luck using fail2ban in this way but just wondering if you had tried that solution? Other than that thought, good work! I'll be checking this out to see if it can be used as a nice slowloris or DOS attack mitigation technique.

Regards,

Alunduil

kthomeer · 03-21-2011, 03:52 AM

Quote:

Originally Posted by alunduil

Would it have been possible to leverage fail2ban to accomplish this as well?

Thx,

it seems that fail2ban is made for protection against brute force password attacks.

Not for attacks against security holes (mod_proxy, phpMyAdmin, ...)

Koen

alunduil · 03-21-2011, 10:09 AM

Actually, the design is flexible enough that if you can match a string in a log file it can setup the firewall rule to block an IP address. It's just a matter of crafting the right regex for the job.

Regards,

Alunduil

kthomeer · 03-21-2011, 01:43 PM

Quote:

Originally Posted by alunduil

Actually, the design is flexible enough that if you can match a string in a log file it can setup the firewall rule to block an IP address. It's just a matter of crafting the right regex for the job.

That's correct.

But the extra's in this concept:
- blacklist is centralised
- everebody can use the blacklist freely