Is There a Way to Trap Hackers?

Forum Moderators: phranque

Message Too Old, No Replies

Is There a Way to Trap Hackers?

sunshineteam

9:33 pm on Feb 7, 2010 (gmt 0)

I've been checking my error logs and see there was several attempts at accessing portions of my site that don't exist.

The addresses entered all had the words "admin" and "stylesheet.css" in the entered address.

I just blocked the IP address in my .htaccess file, but in the future I'd like to automate this process by matching all attempts with "admin" and "stylesheet.css" in the words (if such a URL results in a 403 error) and if the same IP tries more than x amount of times within x hours.

Perhaps redirect the user to a php script or auto-add the IP to the list I have in the .htaccess file.

I did a search but couldn't find something that would do this.

jdMorgan

10:20 pm on Feb 7, 2010 (gmt 0)

Look in our PHP forum library... The title is "Block runaway 'bots" -- or something like that. Script by xlcus and AlexK.

Jim

sunshineteam

2:32 am on Feb 8, 2010 (gmt 0)

I believe this is the link:

[webmasterworld.com...]

Thanks. I'll look into that and probably install that tomorrow.

I took a quick peek and this looks like it just counts attempts, and seconds between attempts.

I was hoping to integrate a keyword trigger along with a 404 or 403 trigger (probably a 404 since these hack attacks are on files and directories that don't exist).

Is there a known script that has keyword triggers that you are aware of? Or a nice way of integrating?

Frank_Rizzo

10:19 am on Feb 8, 2010 (gmt 0)

Best thing to use is ModSecurity. Not only does it by default block cross scripting, sql injection but you can also create your own rules to block specific keywords.

If you do not use phpmyadmin but someone attempts to load a page or directory with that name then they are upto no good. ModSecurity will intercept and either let it through, 403 it, drop it, whatever.

I run a custom script to trap keywords and then add the IP to IPTABLES.

Here are examples of 2 types of rules I use:

###
SecRule REQUEST_HEADERS:Referer "casino\.ru" "log,exec:/modsec_ban/modsec_ban.sh,drop,phase:1"

SecRule REQUEST_URI "INSTALL\.txt" "log,exec:/modsec_ban/modsec_ban.sh,drop,phase:1"

modsec_ban.sh receives parameters from ModSecurity blocks the IP and emails a report.

ModSecurity installs easy enough but you do have to run it in test mode for a bit until you are sure you won't 403 valid clients. Sometimes you have to tweak a rule or disable it.

The modsec_ban.sh script is not part of ModSecurity so you have to write that yourself.