It usually turns out that the default values are pretty good at keeping things under control (which is why I don't ever mess with them unless there's a darned good reason for doing so, eh?). Can't hurt.
One thing that I've had running for years is DenyHosts
), "DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks)." There are truly a massing amount of those happening all the time, many of which are aimed at things like phpMyAdmin
is dynamic -- meaning you don't have to fool with it. It's looking at your logs and detects break-in attempts, making either IPTABLES or /etc/hosts.deny
entries that will refuse any further connections from a "bad" IP address. It also, if you want, shares addresses with other DenyHosts
sites around the world and records those in your /etc/hosts.deny
file (the effective and easy way) of other users' experience.
Where country blocks are effective at blocking the entire country, DenyHosts
is effective at blocking the bad actors from both a country IP address and any compromised Windows machines being used to hide behind (which also gets some dodo brain's PC address in Spokane being used in attacks). You can also set it up to send you mail of what's going on.
Might be worth your time to have a look-see.
When you're blocking at /etc/hosts.deny
or IPTABLS the attacker doesn't get to Apache; check your access_log
files (probably in /var/log/httpd
?). If you see attacks in there, take a look at managing access with htaccess
, but you're really better off with IPTABLES or /etc/hosts.deny
which are at the network interface rather than the Apache interface.
Also, get the update for HTTPD
-- that's one you really need to do.
And, take a look at your traffic analysis with NTOP
, as well as the access_log
and the error_log
which will help identify problem areas.
Hope this helps some.