RE: [users@httpd] Is there a way to intercept all IP accesses in real time?
I'm probably being pedantic, but I don't think you are looking for a literal "real time"
system, just something that operates quickly. A legitimate real time system can guarantee
response to an interrupt within a specified length of time. People often confuse this with
being fast, but they aren't really the same thing.
I think you might be able to accomplish your goals with some high quality log analysis software.
Since all the threads write to the same logs, checking the logs takes care of the multiple thread issue.
If that doesn't sound fast enough, you might look to see if any of the switches or routers in your
network have hacking detection software that can be installed or activated. This works faster than
anything you could put on the server itself.
Jeffrey Cauhape – IT Professional III – Linux and Solaris Administrator
Nevada Department of Employment, Training and Rehabilitation
(775) 684-3804 (office) jpcauhape@xxxxxxxxxxx
From: David Spector [mailto:david025@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Thursday, November 1, 2018 7:05 AM
Subject: [users@httpd] Is there a way to intercept all IP accesses in real time?
I would like to write a short real-time PHP program to detect unusual or malicious access patterns to httpd under all OSs for the usual methods, such as GET and POST, the goal being to protect authentication procedures from being repeatedly tested by unauthorized visitors to websites.
My understanding is that Apache generates a pool of worker processes to handle remote accesses to the server, so that accesses are processed efficiently and possibly concurrently if the OS supports process concurrency.
So, I'm afraid if I simply write a PHP function that gets called at the start of displaying the home page of a website, it will intercept only a subset of the remote accesses, which would be insufficient for analyzing access patterns.
Is there a way to have a piece of efficient real-time PHP code stay in memory (for efficiency, so its code and database can be resident in
memory) and be called for every remote IP access? Its results (a short, often updated IP blacklist) could be sent to the website through a slower route or could be used right there in the real-time PHP code to block the access.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx