401.cgi should ideally be set to run from
crontab perhaps once per minute. You can also run the script by telnet command line
using
perl 401.cgi
The script will scan the log file looking for
excessive failed login attempts from the same IP address. If the number of failed
logins is greater than the threshold value the IP address of the attacker will be added to
the "blocked" file. The "blocked" file is used by .htaccess to
deny further access to your web server.
Optimally, you should have your isp setup
duplicate log files for you. This is easily done by adding a second line to the
apache config file like this<VirtualHost 209.212.196.253>
ServerAdmin
webmaster@webshoppingonline.net
DocumentRoot
/home/httpd/html/webshoppingonline.net/htdocs/
TransferLog
/home/httpd/html/logs/webshoppingonline.net
TransferLog
/home/httpd/html/logs/webshoppingonline-copy.net
ServerName webshoppingonline.net
ServerAlias www.webshoppingonline.net
</VirtualHost>
This way when crontab executes 401.cgi
it will parse the smaller logfile COPY rather than the regular logfile which would cost
you a lot of CPU time. If you cannot setup a duplicate logfile then you should only
run this maybe once per hour. You should set the logfile copy permissions to 777 so
they can be reset to 0k everytime 401.cgi runs. If you get attacked by a hurler it
will be obvious within seconds.
If you are going to have 401.cgi reset your
logfiles to keep serverload to a minimum, you will need to add the following line to the
end of 401.cgi to have it clear the logfile back to 0K after execution by crontab.
open (LOGFILE,
">$logfile");
Just keep in mind that if you are attacked by
a hurler they will be throwing maybe 1,000 passwords per minute and cause several hundred
401 errors. If its just a member trying to remember their username/password you
don't want to block them so do not set the threshold too low.
Another consideration is make sure your
password software doesn't allow username=password or allow user/passwords less than 4
characters long. A hurler takes a lot longer to break long user/password
combinations. Nearly ALL of them also only attack accounts where the
username=password. So these hurlers really only threaten sites run by lame gateway
software. And you can believe me when I tell you that when a hacker finds a weak
password software system it isn't but a few days later all his friends and their websites
have detailed procedures figured out and published on cracking them. When this
happens, hackers simply use search engines to locate sites using the weak software and
then they break right in. If your site has problems with hackers we can help you.
There are several other security scripts on our site which are best installed by an
expert (programmer). However, there are also instructions available on our site for
you "do-it-yourselfers".