Phase 1: Implement a http:BL module to identify the “bad guy” and divert the log entry into a httpbl.log instead of access_log
Phase 2: I wanted to automatically firewall the malicious IP address, but the apache UID is unable to use iptables (it would seem prudent for iptables to allow a specific CHAIN to be created and permit another UID to control it – shame noone has done it yet). My options then became some form of message passing to a root daemon, or suid-root. I was happy with neither, so implemented an apache level firewall via another mod_perl plugin 🙂
Logs:
==> httpbl.log <==
[Tue Nov 30 23:36:22 2010] httpBL: 113.22.131.111 (13) "127.48.15.1" "www.pgregg.com" "/projects/php/preg_find/preg_find.phps" "http://www.dslreports.com/forum/r19430990-PHP-link-generator" [HTTPBL:13]
[Tue Nov 30 23:36:23 2010] httpBL: 113.22.131.111 (13) "127.48.15.1" "www.pgregg.com" "/favicon.ico" "" [HTTPBL:13]
[Tue Nov 30 23:36:24 2010] httpBL: 113.22.131.111 (13) "127.48.15.1" "-" "-" "-" [HTTPBL:13]
==> error_log <==
IP 113.22.131.111 is blocked
==> httpbl.log <==
[Tue Nov 30 23:36:26 2010] httpBL: 113.22.131.111 (13) "127.48.15.1" "-" "-" "-" [HTTPBL:13]
Notice that none of these made it to the normal apache access_log. You also tend to get 3-4 simultaneous connections from clients so it is possible that you don't have time to implement the firewall since the other connections are running in parallel (and the firewall plugin happens right at the connection handling stage). However, here we can see the firewall kick in and catch the last one. This IP will now be firewalled for (13) days (the score) after which time this firewall will be removed (and can be recreated by the logging plugin if necessary).
Posting IP: 122.36.165.202
My module log shows:
[Tue Nov 30 05:50:13 2010] HTTPBL: 122.36.165.202 (8) “127.22.8.1” “www.pgregg.com” “/mt/mt-comments.cgi” “http://pgregg.com/blog/2010/11/referrer-and-comment-spammers-are-a-pita.html” [HTTPBL:8]
This would have been caught, and when I get the firewalling going, stopped.
]]>