The log that I'm looking at is the one for my SMF forum. Basically, there's a ton of login attempts with "incorrect password" about once every 5 minutes going back several days. The way I am blocking them is by adding each IP to the SMF forum ban list.
I tried adding your rewrite rules, but it hosed my site. I'll have to take a more detailed look at them later to try to figure out what the problem was.
However, since my site uses Joomla, I've already got these rules in the .htaccess file which probably accomplishes a lot of the same thing...
########## Begin - Rewrite rules to block out some common exploits ## If you experience problems on your site block out the operations listed below ## This attempts to block the most common type of exploit `attempts` to Joomla! # ## Deny access to extension xml files (uncomment out to activate) # #Order allow,deny #Deny from all #Satisfy all # ## End of deny access to extension xml files RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a [SCRIPT_DISABLED]> tag in URL RewriteCond %{QUERY_STRING} (\<|<).*script.*(\>|>) [NC,OR] # Block out any script trying to set a PHP GLOBALS variable via URL RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # Block out any script trying to modify a _REQUEST variable via URL RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) # Send all blocked request to homepage with 403 Forbidden error! RewriteRule ^(.*)$ index.php [F,L] # ########## End - Rewrite rules to block out some common exploits
GroovyMAME support forum on BYOAC
|