mod_sec rules to drop this...

**chae** · 11-12-2006 04:37 PM

Hi Yah,

Apache continually dying and error logs show this over & over again...

[error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
[Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|

All from different IP's etc etc. Had a search through Google for this and only one other post & nothing resolved for them. Has anyone got a mod_sec rule that would drop this ???
Have already increased the maxclient & dropped the timeout in httpd.conf to relieve the server a bit

Thanks in advance

Chae

**chae** · 11-12-2006 04:48 PM

As a follow up to typing this the techsupport from the Datacentre where the servers are housed have basically said that they can't do anything their side to help...

"Unfortunately most networks don't implement solutions like TopLayer to prevent these kind of outbound attacks..." then they basically tell me that I can add the IP's into our firewall which of course doesn't help as they're (hundreds up hundreds) spoofed (sigh)

So now we've got a crippled server because of these requests

**ramprage** · 11-12-2006 07:43 PM

Could you not add something like this with mod-security?

secfilter $MyNick

**IPSecureNetwork** · 11-12-2006 08:59 PM

buddy you are under attack of botnets thats why the apache marks nicks like IRC .. coz that things are botnets hosted in one irc server to attack.

i recomend you some thing like mod security, mod_choke and mod_ddosevasive

i recomend you one idc with firewall like ipsecurenetwork.com or something like that .. to prevent DDoS attacks

**AndyReed** · 11-13-2006 12:10 AM

Originally Posted by west-domains

or something like that .. to prevent DDoS attacks

If your server is under good DDoS attack, none would would stop it including APF, BFD, Mod security and Mod Evasive, or any other software-based firewall. You have to have hardware-based firewall such as Cisco Guard.

LinkBack

Thread Tools

mod_sec rules to drop this...

Updated mod_sec rules

Updated mod_sec rules

mod_sec rules (where to get the best version)

Can someone help with mod_sec rules and an application I am trying to run?

Who writes and maintains the default WHM mod_sec rules?