You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Spector <da...@springtimesoftware.com> on 2018/11/01 14:05:06 UTC
[users@httpd] Is there a way to intercept all IP accesses in real time?
I would like to write a short real-time PHP program to detect unusual or
malicious access patterns to httpd under all OSs for the usual methods,
such as GET and POST, the goal being to protect authentication
procedures from being repeatedly tested by unauthorized visitors to
websites.
My understanding is that Apache generates a pool of worker processes to
handle remote accesses to the server, so that accesses are processed
efficiently and possibly concurrently if the OS supports process
concurrency.
So, I'm afraid if I simply write a PHP function that gets called at the
start of displaying the home page of a website, it will intercept only a
subset of the remote accesses, which would be insufficient for analyzing
access patterns.
Is there a way to have a piece of efficient real-time PHP code stay in
memory (for efficiency, so its code and database can be resident in
memory) and be called for every remote IP access? Its results (a short,
often updated IP blacklist) could be sent to the website through a
slower route or could be used right there in the real-time PHP code to
block the access.
David Spector
Springtime Software
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is there a way to intercept all IP accesses in real time?
Posted by Freek de Kruijf <f....@gmail.com>.
Op donderdag 1 november 2018 15:05:06 CET schreef David Spector:
> I would like to write a short real-time PHP program to detect unusual or
> malicious access patterns to httpd under all OSs for the usual methods,
> such as GET and POST, the goal being to protect authentication
> procedures from being repeatedly tested by unauthorized visitors to
> websites.
>
> My understanding is that Apache generates a pool of worker processes to
> handle remote accesses to the server, so that accesses are processed
> efficiently and possibly concurrently if the OS supports process
> concurrency.
>
> So, I'm afraid if I simply write a PHP function that gets called at the
> start of displaying the home page of a website, it will intercept only a
> subset of the remote accesses, which would be insufficient for analyzing
> access patterns.
>
> Is there a way to have a piece of efficient real-time PHP code stay in
> memory (for efficiency, so its code and database can be resident in
> memory) and be called for every remote IP access? Its results (a short,
> often updated IP blacklist) could be sent to the website through a
> slower route or could be used right there in the real-time PHP code to
> block the access.
>
> David Spector
> Springtime Software
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
The SANS Instituut (dshield.org) has a honeypot system available:
https://isc.sans.edu/honeypot.html
This web page mentions that apache is being used, but this is no longer the
case. The software uses a Python script to catch the communication with the
http server. The software itself is available on GitHub. I have it running on
the smallest Raspberry Pi, a 1B, together with a honeypot for telnet and ssh
and firewall logging. Reports go to dshield.org. My modem/router forwards
almost all TCP/UDP ports to the honeypot system.
--
fr.gr.
Freek de Kruijf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is there a way to intercept all IP accesses in real
time?
Posted by Dennis Clarke <dc...@blastwave.org>.
On 11/01/2018 10:05 AM, David Spector wrote:
> efficient real-time PHP code
There is no such thing.
I am only aware of rt priority type code written in C and assembly.
At least in the instrumentation and data collection field.
dc
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Is there a way to intercept all IP accesses in real
time?
Posted by Jeff Cauhape <jp...@detr.nv.gov>.
David,
I'm probably being pedantic, but I don't think you are looking for a literal "real time"
system, just something that operates quickly. A legitimate real time system can guarantee
response to an interrupt within a specified length of time. People often confuse this with
being fast, but they aren't really the same thing.
I think you might be able to accomplish your goals with some high quality log analysis software.
Since all the threads write to the same logs, checking the logs takes care of the multiple thread issue.
If that doesn't sound fast enough, you might look to see if any of the switches or routers in your
network have hacking detection software that can be installed or activated. This works faster than
anything you could put on the server itself.
Jeffrey Cauhape – IT Professional III – Linux and Solaris Administrator
Nevada Department of Employment, Training and Rehabilitation
(775) 684-3804 (office) jpcauhape@detr.nv.gov
-----Original Message-----
From: David Spector [mailto:david025@springtimesoftware.com]
Sent: Thursday, November 1, 2018 7:05 AM
To: users@httpd.apache.org
Subject: [users@httpd] Is there a way to intercept all IP accesses in real time?
I would like to write a short real-time PHP program to detect unusual or malicious access patterns to httpd under all OSs for the usual methods, such as GET and POST, the goal being to protect authentication procedures from being repeatedly tested by unauthorized visitors to websites.
My understanding is that Apache generates a pool of worker processes to handle remote accesses to the server, so that accesses are processed efficiently and possibly concurrently if the OS supports process concurrency.
So, I'm afraid if I simply write a PHP function that gets called at the start of displaying the home page of a website, it will intercept only a subset of the remote accesses, which would be insufficient for analyzing access patterns.
Is there a way to have a piece of efficient real-time PHP code stay in memory (for efficiency, so its code and database can be resident in
memory) and be called for every remote IP access? Its results (a short, often updated IP blacklist) could be sent to the website through a slower route or could be used right there in the real-time PHP code to block the access.
David Spector
Springtime Software
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org