Re: [cobalt-users] error log emergency

["Zeffie" <cobaltlist@xxxxxxxx>]

> on 9/15/00 12:12 AM, Mike Fritsch at mfritsch@xxxxxxxxxxxx wrote:
> >> I recently caught a hacker trying to hack a password protected site on
my
> >> 3i unit.   I was able to deny him/her service vi a deny line in the
> >> ..htacces file of the protected directory.   This worked fine and I can
see
> >> the malicious person being denied just keeps on churning hits at me
even
> >> though they're being denied.  If this keeps up it will rapidly make my
> >> error log grow huge and possibly crash my machine (the intent?).
> >
> > I believe you can put his IP into the hosts.deny file.
>
> Correct me if I am wrong but I don't think that hosts.deny will prevent
web
> access.  It will stop telnet, ftp, etc--essentially inetd services.

"That right"   :)

<snip>
> If you have a malicious user you'll want to block them at the kernel level
> using IPChains or something.
>
> The command you want to use is
> ipchains -I input -s 192.168.1.1 -j DENY -l
>
> Where 192.168.1.1 is the ip of the offending host.
>
> -k

Another cute trick is to deny just http serverwide....
in /etc/httpd/conf/access.conf you will find a section that looks something
like this

# Controls who can get stuff from this server.

order allow,deny
allow from all

AuthFailDelay 2000000
</Directory>

Change it to something like

# Controls who can get stuff from this server.

order allow,deny
allow from all
deny from disney.com
AuthFailDelay 2000000
</Directory>

The docs are here
http://www.apache.org/docs/mod/core.html#directory

I would suggest you go after the isp that owns the ip and if they don't
respond...
Nuke their ass!

lookup the ip at
http://www.arin.net/whois/arinwhois.html

Zeffie