Message Board

Tracking Harvesters/Spammers

Older Posts ]   [ Newer Posts ]
 Improve speed of the Honeypot Module
Author: M.Bishof   (11 Dec 10 11:29am)
My problem is that mod_httpdl is slowing down website requests to our server since each request is send to projecthoneypot first.

I would recomment that there is a daily updated IP list of harvesters, spambots and everything else trapped by the honeypots to put on the local server.
 
 Re: Improve speed of the Honeypot Module
Author: H.User5946   (11 Dec 10 2:58pm)
As far as I know the mod_httpbl module available here is no longer developed.

If you are interested, this weekend, I've rewritten two mod_perl modules to replace mod_httpbl and specifically addresses the slowness you have observed.

Basically there are 2 modules, httpblFirewall and httpblLog

The Firewall does what it suggests - it decides if the incoming connection should be dropped, and does so. This is an Apache-level firewall system, so does not need any Operating System specific firewall configuration.

The Log also does what it suggests, but sneakily implements the Firewall capabilities.

You see, doing a http:BL DNS call before handing the HTTP request is slow - (this is why back in the mid 1990s Webservers got the option of turning off Resolving the hostnames of the incoming connections). So it is not prudent to do this when you receive a request.

So how to implement http:BL without killing your performance?

The httpblLog module is called by Apache after the request has been handled - it is here that I perform the http:BL DNS call. If the module decides that the person is a "baddie" then it creates the Apache-level firewall (which can be used next time by httpblFirewall), logs the call to a httpbl.log and tells Apache not to log it.

The system is reasonably configurable (you can make the Firewall do the http:BL API call if you like, I just don't recommend it) - you can also tune the levels (score) at which you want to Log and/or Block.

I also have implemented decent white and blacklists that cope with one or more files allowing you to block by IP, IP-range, CIDR notation.
The same white and blacklists also allow you to specify pattern matching against request headers (can only do this in the Log module), e.g.
header:scoremodifier:pattern
agent:5:Sosospider
referer:3:seomarketing

I've been doing a bit of tweaking and refining yesterday and today. I plan on making an initial release some point next week. If you'd like to be a guinea pig - let me know :)

You'll need Apache2 and mod_perl installed.

Regards,
PG
 
 Re: Improve speed of the Honeypot Module
Author: M.Bishof   (12 Dec 10 4:25am)
Sounds interesting.

Additionally I found that the ProjectHoneypot DNS Zone files is downloadable on request: http://projecthoneypot.org/faq.php#g
 
 Re: Improve speed of the Honeypot Module
Author: M.Bishof   (14 Dec 10 1:39pm)
Ouch: "We charge a fee to rsync the zone that is currently $6,700USD/annually."
 
 Re: Improve speed of the Honeypot Module
Author: H.User5946   (14 Dec 10 4:20pm)
Haha... lucky you - at least they replied to you which is more than I can say.



do not follow this link

Privacy Policy | Terms of Use | About Project Honey Pot | FAQ | CloudFlare Site Protection | Contact Us

Copyright © 2004–14, Unspam Technologies, Inc. All rights reserved.

contact | wiki | email