[ic] IC not responding

John1 list_subscriber at yahoo.co.uk
Tue Nov 15 18:00:29 EST 2005 

On Tuesday, November 15, 2005 2:33 PM, sandy at scotwebshops.com wrote:

> John1 wrote:
>
>> From reading around on the web, it would seem that MaxClients 150
>> ought to be enough even for moderately busy web servers.  Does anyone
>> else have a view on this?  Ron, I can understand your idea of raising
>> MaxClients to help the problem, (although I can't try this myself as
>> my Virtual Server environment restricts the number of concurrent
>> processes I can run).
>>
>> However, I am sure you will agree that raising MaxClients is really a
>> work around rather than a solution to the underlying problem.  I can
>> only presume that this problem of scripts looking for security holes
>> hammering websites must be a problem common to every website on the
>> Internet, and therefore presumably every website is bumping up
>> against MaxClients on a regular basis!?  I presume that most
>> websites come back to life as soon as the script robot goes away,
>> but even so, all websites will be brought down by this sort of robot
>> for the duration of its visit.  So, to get to my point, are there
>> any easy ways to stop these script robots racking up the MaxClients
>> count in the first place.  i.e. is there anything in Apache or
>> Apache modules that can be used to spot these "robot attacks" and
>> drop their requests before they cause Apache to spawn loads of
>> processes?  I'd be grateful for any ideas, especially as upping the
>> MaxClients setting is not really an option for me.  Thanks
>
>
> Try mod_evasive, or use the robot blocking functionality in
> interchange, in conjunction with iptables, to drop packets from the
> malicious IP. Most common robots should not kill your webserver.
>
Thanks Sandy mod_evasive looks just the job :-)  I will look into 
implementing as soon as I get chance.

In the meantime, I would like to implement the Interchange lockout option 
immediately.  I have only just realised that although I have defined a 
"RobotLimit 100" I have not defined a lockout command, so bad robots are not 
actually being locked out.

I am not up on iptables, but from what I can see the lockout command I 
should use is:

iptables -I INPUT -s %s -j DROP

Is this correct?

The problem I see with this is that the IP address is then *permanently* 
locked out.  What is the best way to lockout IP addresses for a given 
timeframe, and then let them back in again?  I would be really grateful if 
anyone has a script to do this that they wouldn't mind sharing?  Thanks 


		
___________________________________________________________ 
How much free photo storage do you get? Store your holiday 
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com

More information about the interchange-users mailing list