Home » Forums » Support » Module development

Security module?

gerardryan - February 26, 2004 - 21:22

I've been fooling around with header inspection, DNSBL lookups, attempted exploits, user agent tracking (bad bots), and access/ban lists.

If this experimentation were to ever make it into a drupal module, what features would be the most helpful/desired? In addition to what I've listed, what other features can you think of?

Thanks for the feedback.

» Login or register to post comments

I've working on a mandatory H

gerardryan - March 23, 2004 - 06:49

I've working on a mandatory HTTP access control suite.



The basic premise of the tool is to learn, through HTTP header analysis, *what* is on the other end of the connection, rather than *who* ... and based upon that knowledge, either take action on the host, or let them proceed to the website. Because it works with HTTP headers, the access control happens after the request has been processed by the server software (i.e., apache/iis/what have you) and before any pages are served.

I have put significant time into reducing both overhead and false positives. The suite looks for:

  • excessive page requests
  • xss scripting exploits
  • directory traversal exploits
  • hidden file access
  • robot protocol "negligent" bots
  • users who attempt to hide their identity via anonymous proxies
  • blacklisted hosts (DNSRBL lookups are perfromed at opm.blitzed.org)
  • locally blacklisted hosts

There's also an access list and MySQL administration.



The DNS lookupis only performed once per session (and it's configurable), to keep network overhead down -- reverse lookups can be a considerable expense on a busy server. Also, the software is capable of running its own (multi-threaded, ANSI C, UNIX/Windows) proxy scanning application -- and it's not only optional, but only called if the software detects mangled or scrubbed headers.



Before I ramble on too long, I'll provide a URL.

http://www.badgergoose.com/node/view/12



There's an admin demo available to give you a better of what it does.



I'm posting this here because I want to know if this is a project worthy of being integrated as a Drupal module. It's somewhat unorthodox, and I'd like to know if it would be useful to anyone else before going further.



Thanks.

Login or register to post comments

Oh Yes Please!

Robert Castelo - March 23, 2004 - 11:24

Over aggressive spiders are becoming a real nuisance.

A couple of weeks ago a Korean email harvesting spider wasted more than 1 Gb of my bandwidth before I spotted it and blocked it. The spider then switched to 4 different IP addresses, which got blocked, before giving up.

Most of these spiders are fairly stupid, and can be blocked by IP address or bot name, but some are spoofing IP and name, or have whole ranges of IP addresses. Your suggestion of catching them by their behaviour seems like the one thing they can't spoof.

It would also be very satisfying to get some sweet revenge on these email harvesting spiders. Perhaps a feature to feed them nonsense email addresses and poison their spam database?

-- Pushbutton Test Experience -->>

Login or register to post comments

Troll module

deekayen - May 4, 2009 - 19:24

Those kinds of features are in Troll 6.x.

--
deekayen.net

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.