My friend has a webserver running Windows 2003 with Apache/PHP/MySQL. There has always been a degree of hack attempts & vulnerability scans which are increasing as time goes on. Here's a snippet from the error log: That scanning session generated ~5 requests per second for a solid half hour. Manually trawling the error log and blocking each IP is getting to be time-consuming, so is there any reliable way to detect when this is happening, and block the IP?
Your log will always show these attacks if even blocked. You can try manually adding the ip if it's the same one every day. these are all http requests right? Not ssh?
Yes, http. It's a few different IP's every day, each generating around 1000 requests. The logs are getting too damn big, at least the ones i've blocked only generate one or two 'client denied' entries, before giving up. I was hoping there was some way to detect a flood of requests from an ip, and block it there and then.
You can report the ip address, lodge a complaint but that's about it. My rackspace blocks all this on their routers so I don't get it as much anymore. You can set a time penalty condition http://www.debian-administration.org/articles/187
I suspect most of the ip's will be proxies or exploited systems, block one ip and another springs up in it's place. From the link you posted: The following rules will limit incoming connections to no more than x attempts in a minute - any more than that will be dropped. That's exactly what's needed, only the examples are for iptables on Linux. I'll have a poke around and see if I can find a good Windows firewall that allows similar rules.
an ideal solution security wise would be to have a linux hardware firewall sitting in front of the box
If your using Linux, Fail2ban would solve your problem. It sets your IP table to ban people who hammer your box on any service/ports you pick.
