401 Scubber Password Hurler Blocker Installation News CGI Scripts Become A Member Contact Us Support Download Area   Documentation 401 SCRUBBER PASSWORD HURLER BLOCKER :  V1.1 Copyright 2001 Psybercore, Inc. - All Rights Reserved. Selling redistributing or modifying any or all of the code for this program without prior written consent is expressly forbidden. You must obtain written permission before redistributing this software over the Internet or in any other medium. In all cases copyright and header information must remain intact. System Requirements Works on all operating systems Apache web server Access logs .htaccess ability Telnet access Perl 5 Crontab recommended Ability to run multiple access_log recommended Installation Preliminaries Determine the path to PERL 5 on your web server host.  Note that some web hosting companies run both PERL 4 and PERL 5.  Make ABSOLUTELY sure you are not setting this up under PERL 4.  Ask your administrator if you are not sure. DOWNLOAD the tarfile for this program and save it to your desktop. Unpack the tar archive on your desktop using a program that unpacks UNIX TAR ARCHIVES. Ideally, tar archives are best unpacked on a webaccount that has telnet access with the command tar xvf filename.tar.  However, in this modern era of lame webhosting companies that do not offer telnet access most of the time you can also unpack with a program called winzip which you can download FREE from SHAREWARE.COM.  Please note that winzip has a few bugs and fails to unpack directory structures, files that begin with dots (.) and files that are 0K. After you have unpacked the TAR archive you will have a collection of folders and files on your desktop.  Now you have to do some basic editing of each of these files (or at least some of them).  Use a text editor such as wordpad, notepad, BBEdit, simpletext, or teachtext to edit the files.  These are NOT WORD PROCESSOR DOCUMENTS they are just simple TEXT files so don't save them as word processor documents or save them with extensions such as .txt or they will NOT WORK.   Note that there may be a some files inside of folders which are "blank".   This is normal. Make sure you clear out any blank lines from database type files included with the tar archive.  These files will appear to be just blank text files.  However, blank lines are present because of the bug in winzip.  If you see files that appear to be blank make sure to select and erase ALL blank lines (select all, then delete).  Then resave the file so it is completely blank. Path to Perl 5 (NOT PERL 4!#%@#$%!) Define Path To PERL 5 The first step is to open up each and every file that has a .cgi extension and edit line number one of each script.  Each of the cgi scripts is written in perl 5. For your scripts to run they must know where perl 5 is installed on your web server. The path to perl 5 is defined to a cgi script in the first line of the file. In each of the cgi scripts the first line of code looks something like this: #!/usr/bin/perl If the path to perl 5 on your web server is different from /usr/bin/perl you must edit the first line of each cgi script to reflect the correct path. If the path to perl 5 is the same no changes are necessary. If you do not know the path to perl 5 ask the webmaster or system administrator at your server site.   If your isp is still running perl 4 you might want to inform them that perl 4 was great back in the 1980's or whatever but perl 5 has been out for a LONG time and is pretty much downward compatible.  Perl 4 is pretty much useless today but you would be surprised how many isps run both perl 4 and perl 5 like its actually helping you. Configure the .cgi files Configure the following variables located inside of 401.cgi (see the user configuration area) $logfile = "/full/path/to/401LOGFILE"; $blockfile = "/full/path/to/blocked"; $htaccess = "/full/path/to/.htaccess"; $threshold = 3; $pointer= 8; $logfile FULL PATH TO YOUR LOG FILE OR SECONDARY LOG SCAN FILE $blockfile FULL PATH TO THE BLOCKED FILE $htaccess FULL PATH TO .htaccess FILE IN YOUR ROOT HTML DIRECTORY $threshold SET TO A REASONABLE VALUE SO YOU DON'T KICK OFF THE GOOD USERS BUT DO KICK OUT THE LOSERS TRY 25 $pointer  SEE THE FILE INCLUDED CALLED README.LOGINFO.TXT FOR INSTRUCTIONS ON SETTING THIS VARIABLE Upload the files and set permissions Create a directory inside your cgi-bin called 401 and upload all of the files into this directory.  Set the permissions for 401.cgi to 755 and the permissions for the rest of the files to 777.  Note that the htaccess file (rename .htaccess) is NOT supposed to go into your "members" folder.   This new .htaccess file should go into the root level html directory for your website (htdocs, public_html, or whatever).  This .htaccess file will block IP addresses found inside the "blocked" text file.  Make sure you clear out any blank lines inside of the "blocked" file.  The blank line is only there because of a bug in winzip.  If you do not remove it the scrubber will not work right. Notes on running the software 401.cgi should ideally be set to run from crontab perhaps once per minute.  You can also run the script by telnet command line using perl 401.cgi The script will scan the log file looking for excessive failed login attempts from the same IP address.  If the number of failed logins is greater than the threshold value the IP address of the attacker will be added to the "blocked" file.  The "blocked" file is used by .htaccess to deny further access to your web server.  Optimally, you should have your isp setup duplicate log files for you.  This is easily done by adding a second line to the apache config file like this <VirtualHost 209.212.196.253> ServerAdmin webmaster@webshoppingonline.net DocumentRoot /home/httpd/html/webshoppingonline.net/htdocs/ TransferLog /home/httpd/html/logs/webshoppingonline.net TransferLog /home/httpd/html/logs/webshoppingonline-copy.net ServerName webshoppingonline.net ServerAlias www.webshoppingonline.net </VirtualHost> This way when crontab executes 401.cgi it will parse the smaller logfile COPY rather than the regular logfile which would cost you a lot of CPU time.  If you cannot setup a duplicate logfile then you should only run this maybe once per hour.  You should set the logfile copy permissions to 777 so they can be reset to 0k everytime 401.cgi runs.  If you get attacked by a hurler it will be obvious within seconds.  If you are going to have 401.cgi reset your logfiles to keep serverload to a minimum, you will need to add the following line to the end of 401.cgi to have it clear the logfile back to 0K after execution by crontab. open (LOGFILE, ">$logfile"); Just keep in mind that if you are attacked by a hurler they will be throwing maybe 1,000 passwords per minute and cause several hundred 401 errors.  If its just a member trying to remember their username/password you don't want to block them so do not set the threshold too low. Another consideration is make sure your password software doesn't allow username=password or allow user/passwords less than 4 characters long.  A hurler takes a lot longer to break long user/password combinations.  Nearly ALL of them also only attack accounts where the username=password.  So these hurlers really only threaten sites run by lame gateway software.  And you can believe me when I tell you that when a hacker finds a weak password software system it isn't but a few days later all his friends and their websites have detailed procedures figured out and published on cracking them.  When this happens, hackers simply use search engines to locate sites using the weak software and then they break right in.  If your site has problems with hackers we can help you.   There are several other security scripts on our site which are best installed by an expert (programmer).  However, there are also instructions available on our site for you "do-it-yourselfers".  Setting the "$pointer" variable This variable will determine whether the script will work or not.  If you don't set this EXACTLY right then forget it - it WILL NOT WORK.  There are SIMPLE instructions for anyone that can count to 20 inside of the file called README.LOGINFO.TXT READ IT!!! with referal type logs it will normally be set to 8 this "pointer" must point to the "200" field in your logfiles