git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Is there a way to intercept all IP accesses in real time?


Op donderdag 1 november 2018 15:05:06 CET schreef David Spector:
> I would like to write a short real-time PHP program to detect unusual or
> malicious access patterns to httpd under all OSs for the usual methods,
> such as GET and POST, the goal being to protect authentication
> procedures from being repeatedly tested by unauthorized visitors to
> websites.
> 
> My understanding is that Apache generates a pool of worker processes to
> handle remote accesses to the server, so that accesses are processed
> efficiently and possibly concurrently if the OS supports process
> concurrency.
> 
> So, I'm afraid if I simply write a PHP function that gets called at the
> start of displaying the home page of a website, it will intercept only a
> subset of the remote accesses, which would be insufficient for analyzing
> access patterns.
> 
> Is there a way to have a piece of efficient real-time PHP code stay in
> memory (for efficiency, so its code and database can be resident in
> memory) and be called for every remote IP access? Its results (a short,
> often updated IP blacklist) could be sent to the website through a
> slower route or could be used right there in the real-time PHP code to
> block the access.
> 
> David Spector
> Springtime Software
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

The SANS Instituut (dshield.org) has a honeypot system available:
https://isc.sans.edu/honeypot.html
This web page mentions that apache is being used, but this is no longer the 
case. The software uses a Python script to catch the communication with the 
http server. The software itself is available on GitHub. I have it running on 
the smallest Raspberry Pi, a 1B, together with a honeypot for telnet and ssh 
and firewall logging. Reports go to dshield.org. My modem/router forwards 
almost all TCP/UDP ports to the honeypot system.

-- 
fr.gr.

Freek de Kruijf




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx