Guys

Saw a big sustained use of b/w on one of my sites yesterday and it affected the load a lot so I think it must have slowed down the site for other visitors. Been through Apache logs and it seems like some script kiddie browsed my site as normal then tried to "hack" a guestbook on the site (see screenshot below - at least that's what I think he did). 55,252 page hits, 1.62 GB b/w and 4 hours later he gave up, switched his program off and went away.

Is there an automated way of preventing something like this with Apache? I know I can block his IP manually but a little investigation in the logs suggest he has visited the site before and has a dynamic ISP IP.

http://img385.imageshack.us/img385/9862/sdump7mp.th.gif (http://img385.imageshack.us/my.php?image=sdump7mp.gif)

http://img385.imageshack.us/img385/5567/graphimage5xy.th.png (http://img385.imageshack.us/my.php?image=graphimage5xy.png)

http://img371.imageshack.us/img371/8909/graphimage3du.th.png (http://img371.imageshack.us/my.php?image=graphimage3du.png)

Cheers

An Irritated PT

I'd suggest using mod_security which can block maclious traffic. www.eth0.us has a nice guide for installing it.

Elix, that's a very useful site. Thanks
.
I will install mod_security but I don't think that will stop this particular kind of nuisance (I could be wrong?!). However, that site had a guide on mod_dosevasive which seems perfect:

denying any single IP address from any of the following:
Requesting the same page more than a few times per second
Making more than 50 concurrent requests on the same child per second
Making any requests while temporarily blacklisted (on a blocking list)

Anyone have experience of this?

There is another thread here about mod_dosevasive

mod security available via WHM Addon Modules.

Cheers for the info guys.

Just recently found this site:
http://modsecrules.monkeydev.org/

Try the normal ruiles there for mod_security....that may help :)