F*EX use case: anti-hacker configuration

To prevent brute-force hacking attacks with guessed user/auth-ID you can use the function $max_fail_handler() which is undefined in default installations.

$max_fail_handler(remote_ip_address) is called when there are more than $max_fail failed login attempts.

For example, I have the following setup (on Linux):

A copy of the iptables programm with s-bit:

  fex@fex: ll /home/fex/bin/iptables
  -rwsr-sr-x root  root 47,480 2008-01-28 14:49:09 /home/fex/bin/iptables
so that the user fex can modify the local ip table firewalling.

And then in fex.ph I have:

  $iptables = '/home/fex/bin/iptables';
  
  $max_fail = 10;

  $max_fail_handler = sub { 
    my $ip = shift;
    local $_;
  
    system "$iptables -A BLOCK -s $ip -j LOGREJECT";
    if (open my $m,"| mailx -s 'FEX max_fail $ip' framstag") {
      print {$m} "@_\n\n";
      if ($faillog and open $faillog,$faillog) {
        print {$m} $_ while <$faillog>;
        close $faillog;
      }
      close $m;
    }
  };
With this function every ip address will be blocked after there are more than 10 sequent login failures and a notification e-mail is sent to user framstag. A successfull login will reset the counter.

For the curious: If you have defined $max_fail_handler() and $max_fail in /home/fex/lib/fex.ph then you will find the last login failures in /home/fex/spool/.fail/

Another anti-hacking configuration can be done by defining $header_hook() in fex.ph to disallow certain headers. Example:

$header_hook = sub {
  my ($connect,$header,$ip) = @_;
  my (@dl);
  local $_;

  $header =~ s/\r\n/\n/g;
  $header =~ s/\n*$/\n/;

  @dl = qw(
    ^GET.*\.\./\.\./
    ^User-Agent:.Opera/9.64.Windows.NT.5.1;.U;.en..Presto/2.1.1
    ^User-Agent:.MSIE
    ^User-Agent:.Internet.Explorer.4
    ^User-Agent:.Mozilla.*Win2000
    ^User-Agent:.*Windows.9[58]
    ^User-Agent:.facebook
    ^User-agent:.chroot
    ^User-Agent:.Morfeus
    ^User-Agent:.Toplistbot
    ^User-Agent:.Toata
    ^User-Agent:.Sosospider
    ^User-Agent:.Hatena
    ^User-Agent:.bitlybot
    ^User-Agent:.Comodo
    ^User-Agent:.COMODO 
    ^User-Agent:.*daum.net
    ^User-Agent:.*puritysearch
    ^User-Agent:.*Mp3Bot
    ^User-Agent:.*TencentTraveler
    ^User-Agent:.*FunWebProducts
    ^User-[Aa]gent:.*Baidu
    ^DAPPER-HOST-IP
    ^Content-Type:.*boundary=xYzZY
    ^Referer:.\[url=http
    ^Referer:.*(replica|[Bb]ags|[Gg]ucci|cheap|viagra|-sale)
    ^[\w-]+:\s*\\(\\)\s*\{
  );

  foreach my $dp (@dl) {
    if ($header =~ /$dp/) {
      fexlog($connect,@log,"BADREQUEST $dp");
      http_error(400);
      exit;
    }
  }  
};


framstag@rus.uni-stuttgart.de