200.cgi should ideally be set to run from
crontab perhaps once per minute. You can also run the script by telnet command line
using
perl 200.cgi
The script will scan the log file looking for
excessive failed login attempts from the same IP address. If the number of failed
logins is greater than the threshold value the IP address of the attacker will be added to
the "blocked" file. The "blocked" file is used by .htaccess to
deny further access to your web server.
Optimally, you should have your isp setup
duplicate log files for you. This is easily done by adding a second line to the
apache config file like this<VirtualHost 209.212.196.253>
ServerAdmin
webmaster@webshoppingonline.net
DocumentRoot
/home/httpd/html/webshoppingonline.net/htdocs/
TransferLog
/home/httpd/html/logs/webshoppingonline.net
TransferLog
/home/httpd/html/logs/webshoppingonline-copy.net
ServerName webshoppingonline.net
ServerAlias www.webshoppingonline.net
</VirtualHost>
This way when crontab executes 200.cgi
it will parse the smaller logfile COPY rather than the regular logfile which would cost
you a lot of CPU time. If you cannot setup a duplicate logfile then you should only
run this maybe once per hour. You should set the logfile copy permissions to 777 so
they can be reset to 0k everytime 200.cgi runs. If you get attacked by a hurler it
will be obvious within seconds.
If you are going to have 200.cgi reset your
logfiles to keep serverload to a minimum, you will need to add the following line to the
end of 200.cgi to have it clear the logfile back to 0K after execution by crontab.
open (LOGFILE,
">$logfile");
Just keep in mind that if you are attacked by
a bot or just some jerk executing your formmail script 100 times a minute they will be
EASY to pick out. So don't set the threshold ridiculously low.