__Description__

Compares all requested URLs (and other associated data) to a list 
of known attacks, matches from an IP generate (in real time) a 
firewall entry blocking that IP for 10 days.

__Install__ (as root)

1. Copy the regular expressions and bash script (which runs an gawk script):
cp apachefilter.regex /etc
cp apachefilter.sh /usr/local/sbin/

2. Edit apache configuration to pipe access logs into the bash script, edit:
/etc/apache2/sites-enabled/000-default
and add the line:
CustomLog |/usr/local/sbin/apachefilter.sh combined

3. Edit firewall, all port 80 traffic is tested against the HTTP table.
RedHat style:
:HTTP - [0:0]
-A INPUT -p tcp -m tcp --dport 80 -j HTTP 
Command line style:
iptables -N HTTP
iptables -I INPUT -p tcp -m tcp --dport 80 -j HTTP

4. Restart apache
# /etc/init.d/apache restart


__ToDo__

It would be nice to have a catagorised list of attacks so that you can 
pick and choose what to look for. Some of the patterns in the supplied 
set could match legitimate requests - it all depends on the content of 
your website.


__Implementation__

Access logs are first filtered by grep using the regular expressions 
list. Any matches are passed to an gawk script that adds firewall rules
for every new IP that it sees. The gawk script also records when the rule
was added, and removes that rule if it is more than 10 days old.


__History__

This is the initial release, based on the ideas of (but none of the code)
from sshdfilter.


__Author__

Written by Richard Gregory, greg@csc.liv.ac.uk AKA Greg
Would welcome any comments.

