401 Scubber Password Hurler Blocker Installation
News
CGI Scripts
Become A Member
Contact
Us
Support
Download
Area
Documentation
401 SCRUBBER PASSWORD HURLER
BLOCKER : V1.1
Copyright 2001 Psybercore, Inc. - All Rights Reserved.
Selling redistributing or modifying any or
all of the code for this program without prior written consent is expressly forbidden. You
must obtain written permission before redistributing this software over the Internet or in
any other medium. In all cases copyright and header information must remain intact.
System Requirements
Works on all operating systems
Apache web server
Access logs
.htaccess ability
Telnet access
Perl 5
Crontab recommended
Ability to run multiple access_log recommended
Installation
Preliminaries
Determine the path to PERL 5 on your web
server host. Note that some web hosting companies run both PERL 4 and PERL 5.
Make ABSOLUTELY sure you are not setting this up under PERL 4. Ask your
administrator if you are not sure.
DOWNLOAD the tarfile
for this program and save it to your desktop.
Unpack the tar archive on your desktop using a
program that unpacks UNIX TAR ARCHIVES. Ideally, tar archives are best unpacked on a
webaccount that has telnet access with the command tar xvf filename.tar. However,
in this modern era of lame webhosting companies that do not offer telnet access most of
the time you can also unpack with a program called winzip which you can download FREE from
SHAREWARE.COM. Please note that winzip has a
few bugs and fails to unpack directory structures, files that begin with dots (.) and
files that are 0K.
After you have unpacked the TAR archive you
will have a collection of folders and files on your desktop. Now you have to do some
basic editing of each of these files (or at least some of them). Use a text editor
such as wordpad, notepad, BBEdit, simpletext, or teachtext to edit the files. These
are NOT WORD PROCESSOR DOCUMENTS they are just simple TEXT files so don't save them as
word processor documents or save them with extensions such as .txt or they will NOT WORK.
Note that there may be a some files inside of folders which are "blank".
This is normal.
Make sure you clear out any blank lines from
database type files included with the tar archive. These files will appear to be
just blank text files. However, blank lines are present because of the bug in
winzip. If you see files that appear to be blank make sure to select and erase ALL
blank lines (select all, then delete). Then resave the file so it is completely
blank.
Path to Perl 5 (NOT PERL 4!#%@#$%!)
Define Path To PERL 5
The first step is to open up each and every
file that has a .cgi extension and edit line number one of each script. Each of the
cgi scripts is written in perl 5. For your scripts to run they must know where perl 5 is
installed on your web server. The path to perl 5 is defined to a cgi script in the first
line of the file. In each of the cgi scripts the first line of code looks something like
this:
#!/usr/bin/perl
If the path to perl 5 on your web server is
different from /usr/bin/perl you must edit the first line of each cgi script to reflect
the correct path. If the path to perl 5 is the same no changes are necessary. If you do
not know the path to perl 5 ask the webmaster or system administrator at your server site.
If your isp is still running perl 4 you might
want to inform them that perl 4 was great back in the 1980's or whatever but perl 5 has
been out for a LONG time and is pretty much downward compatible. Perl 4 is pretty
much useless today but you would be surprised how many isps run both perl 4 and perl 5
like its actually helping you.
Configure the .cgi files
Configure the following variables located
inside of 401.cgi (see the user configuration area)
$logfile =
"/full/path/to/401LOGFILE";
$blockfile =
"/full/path/to/blocked";
$htaccess =
"/full/path/to/.htaccess";
$threshold = 3;
$pointer= 8;
$logfile FULL PATH TO YOUR LOG FILE OR SECONDARY LOG SCAN FILE
$blockfile FULL PATH TO THE BLOCKED FILE
$htaccess FULL PATH TO .htaccess FILE IN YOUR ROOT HTML DIRECTORY
$threshold SET TO A REASONABLE VALUE SO YOU DON'T KICK OFF THE GOOD USERS
BUT DO KICK OUT THE LOSERS TRY 25
$pointer SEE THE FILE INCLUDED CALLED README.LOGINFO.TXT
FOR INSTRUCTIONS ON SETTING THIS VARIABLE
Upload the files and set permissions
Create a directory inside your cgi-bin called
401 and upload all of the files into this directory. Set the permissions for 401.cgi
to 755 and the permissions for the rest of the files to 777. Note that the htaccess
file (rename .htaccess) is NOT supposed to go into your "members" folder.
This new .htaccess file should go into the root level html directory for your website
(htdocs, public_html, or whatever). This .htaccess file will block IP addresses
found inside the "blocked" text file. Make sure you clear out any blank
lines inside of the "blocked" file. The blank line is only there because
of a bug in winzip. If you do not remove it the scrubber will not work right.
Notes on running the software
401.cgi should ideally be set to run from
crontab perhaps once per minute. You can also run the script by telnet command line
using
perl 401.cgi
The script will scan the log file looking for
excessive failed login attempts from the same IP address. If the number of failed
logins is greater than the threshold value the IP address of the attacker will be added to
the "blocked" file. The "blocked" file is used by .htaccess to
deny further access to your web server.
Optimally, you should have your isp setup
duplicate log files for you. This is easily done by adding a second line to the
apache config file like this
<VirtualHost 209.212.196.253>
ServerAdmin
webmaster@webshoppingonline.net
DocumentRoot
/home/httpd/html/webshoppingonline.net/htdocs/
TransferLog
/home/httpd/html/logs/webshoppingonline.net
TransferLog
/home/httpd/html/logs/webshoppingonline-copy.net
ServerName webshoppingonline.net
ServerAlias www.webshoppingonline.net
</VirtualHost>
This way when crontab executes 401.cgi
it will parse the smaller logfile COPY rather than the regular logfile which would cost
you a lot of CPU time. If you cannot setup a duplicate logfile then you should only
run this maybe once per hour. You should set the logfile copy permissions to 777 so
they can be reset to 0k everytime 401.cgi runs. If you get attacked by a hurler it
will be obvious within seconds.
If you are going to have 401.cgi reset your
logfiles to keep serverload to a minimum, you will need to add the following line to the
end of 401.cgi to have it clear the logfile back to 0K after execution by crontab.
open (LOGFILE,
">$logfile");
Just keep in mind that if you are attacked by
a hurler they will be throwing maybe 1,000 passwords per minute and cause several hundred
401 errors. If its just a member trying to remember their username/password you
don't want to block them so do not set the threshold too low.
Another consideration is make sure your
password software doesn't allow username=password or allow user/passwords less than 4
characters long. A hurler takes a lot longer to break long user/password
combinations. Nearly ALL of them also only attack accounts where the
username=password. So these hurlers really only threaten sites run by lame gateway
software. And you can believe me when I tell you that when a hacker finds a weak
password software system it isn't but a few days later all his friends and their websites
have detailed procedures figured out and published on cracking them. When this
happens, hackers simply use search engines to locate sites using the weak software and
then they break right in. If your site has problems with hackers we can help you.
There are several other security scripts on our site which are best installed by an
expert (programmer). However, there are also instructions available on our site for
you "do-it-yourselfers".
Setting the "$pointer" variable
This variable will determine whether
the script will work or not. If you don't set this EXACTLY right then forget it - it
WILL NOT WORK. There are SIMPLE instructions for anyone that can count to 20 inside
of the file called README.LOGINFO.TXT
READ IT!!!
with referal type logs it
will normally be set to 8
this "pointer" must point to the "200" field in
your logfiles
Wyszukiwarka
Podobne podstrony:
401 10WSM 10 52 pl(1)VA US Top 40 Singles Chart 2015 10 10 Debuts Top 10010 35173 21 (10)ART2 (10)więcej podobnych podstron