mod_protection Version 0.0.2 mod_server-info give us this kind of information :) Module Name: mod_protection.c Content handlers: none Configuration Phase Participation: Create Server Config, Merge Server Configs Request Phase Participation: Translate Path Module Directives: Menace - where redirect blocked request WarnHost - host and port to warn BlockTime - how many seconds block before response (fw simulation) And the directives in the mod_protection.rules file: PairAlertMatch - a regular expression for protected uris and args PairAlert - protected uris and arguments ArgAlertMatch - a regular expression for protected args ArgAlert - protected arguments UriAlertMatch - a regular expression for a protected uri UriAlert - a protected uri For Menace and WarnHost is strongly reccomended put an instance. Menace accept only 1 instance and WarnHost multiple(but with multiple remote host to warn mod_protection could slow down your server). For the other directive you can put as much values as you like. Here the modification you've to add to httpd.conf: first thing you've to load our module: LoadModule protection_module libexec/mod_protection.so after you have to copy and/or write your rules on the file mod_protection.rules and after the specific configuration for mod_protection for example: <IfModule mod_protection.c> BlockTime 0 Menace "/usr/local/apache/htdocs/index.html.ru.iso-ru" WarnHost 192.168.2.23 60080 Include "/usr/local/apache/conf/mod_protection.rules" </IfModule> analyzing line by line: UriAlert /hsx.cgi with this you specifie that you want to be warned and block each request that ask for /hsx.cgi like: GET /hsx.cgi HTTP/1.1 or POST /hsx.cgi HTTP/1.1 or GET /hsx.cgi?pippo=paperino&system=rm&argument=rf&ala=makota UriAlertMatch /forbidden-data/ with this you specifie that you want to be warned and block each request that ask for /fobidden-data/ like: GET /forbidden-data/an-important-file.txt or POST /forbidden-data/your-decevant-form.html or GET /forbidden-data/your-crimes-houseware/statistic.xls or GET /my-big-deceptions/forbidden-data/my-former-girlfriend-NIFOC.jpg ArgAlertMatch /etc/passwd with this you specifie that you want to be warned and block each request that have like argument /etc/passwd like: GET /buggy-cgi.pl?cat=/etc/passwd etc... do you see what i mean? Menace "/usr/local/apache/htdocs/index.html.ru.iso-ru" this directive say where blocked request are redirected, this is done like if there was an alias, so the user can't understand this is a redirection. FOR NOW ONLY HTML PAGES ARE FULLY SUPPORTED AS Menace. BlockTime 0 this means the in fact you have not activated the firewall emulation functionality. to active him put an integer > 0 and this will we the number of second to wait before to respond to a malicious request.รน this can be useful to break some cgi scan. WarnHost 192.168.2.23 60080 this directive say where send the warning. so for example you can run on your Irix workstation (192.168.2.23) a program that listen for messages on the port 60080 and open a message box with the message when a message arrive. the format for the messages for now is: $uri?$arg from $remote-ip\n so for example: /hsx.cgi?pippo=paperino&system=rm&argument=rf&ala=makota from 192.168.2.22 for now you can found a c client and a mirc script (example-client) wany.pl is the simpliest perl script you can imagine that just put the stuff read on the socket on the terminal. is it enough?