I'm running Apache on a Debian Sarge server. Every day I check the log files and I see people trying to open directories I don't have in my web path. I take their IPs and add them to my hosts.deny file.

How much can this slow down your system? I have several entries in my hosts.deny file and they're growing almost daily. How much of a problem does this pose?

Thanks for any input you can offer.

I wouldn't bother loading up hosts.deny like that. You cannot kill every mosquito, can you?

True, and I've wondered how futile is it to do this. But I really hate it when people try to get in and illegally mine data. It really gets to me. So putting their IPs in hosts.deny at least keeps them from coming back.

Do you recommend something else? I'm open to ideas. What's happening is I see in my apache2/error.log enteries like "<host IP> /www/php/sumthin.php 404 ...." and there will be dozens of attempts from the same IP. I'll take the IP and enter it into hosts.deny and they don't come back.

Is there a better way (there has to be!)

Thanks

Well, there is a method to add temporary rules to the firewall if there are to many failed attempts to log in. Won't work with a web server though, legit clients can make multiple requests too. I'd recommend you better get used to this. I was worried too when I saw the auth.log of my first server. Looong lists of dictionary hackers, daily. Now I don't care. I know they cannot get in and this is all that matters.

My auth.log files are okay. I run a program called authfail that automatically logs 3 failed attempts and adds them to iptables to drop their connection. It works great and keeps people out. I highly recommend it.

What concerns me are attacks on my web server. I've had it attacked and broken into twice in 2003 and I'm kinda paranoid about it. Anything I can do to keep them bastards out I will. When I trace down some of the IPs I notice that some are coming from .ro and I know no one legit is looking at my web server from there!

I just wanted to make sure I wasn't bulking down my server by having too many entries in hosts.deny. I am noticing less and less entries in my logs; it must be working to some degree.

Check out authfail -- it's almost perfectly automatic.

Note that Apache does not have support for host.deny (libwrap/tcp_wrappers) by default, so using it for access control does nothing. If you want to ban them use iptables or Apache's built-in access control features.

Adding huge numbers of hosts to iptables or hosts.deny will eventually slow the system down, so trying to ban IPs for random scanning is a lost cause IMHO. Save bannination for persistant abusers and spend the time hardening your system against exploitation and making sure it's updated with security patches.

So using hosts.deny doesn't stop them from accessing Apache, so using it was futile anyway. And as you said, it will eventually slow the system down. That's what I wanted to know.

Looks like you're right -- there are other ways to police the system. Thanks to all for your thoughts.

That's correct.

Take a look at mod_security if you are interested in implementing a little more preventative security measures for Apache. Creating custom filters to block typical PHP and XML-RPC scans that are common isn't very difficult and you can even create filters to block 0-day exploits that attempt code injection (like URLs containing the string "wget" or "/tmp").

I'm always interested in new security techniques. I'll check out ModSecurity. Thanks!