New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What kind of logging and analysis on logs do guys use for dealing with HTTP attacks?
After the problems covered in Problem with provider IP address I'd like to know what LETs use for dealing with such problems.
EDIT: It seems what I want is a WAF, and one spoken about here is mod_security. Are there any others I should consider? Which are the recommended ones?
My plan now is to save the logs into a database and analyze that with a script, and searches have revealed that rsyslog/syslog can log directly to a database, although I could also do that directly with a script that reads the logs directly.
So after loading the logs into the database, what kind of patterns are usually searched and how are they usually dealt with if they are considered hostile, besides the usual method of banning the IP address.
