<div dir="ltr">On Fri, Aug 1, 2008 at 9:18 PM, Calomel <span dir="ltr"><<a href="mailto:nginxdeletethis@calomel.org">nginxdeletethis@calomel.org</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Jeffery,<br>
</blockquote><div><br>thanks, but that's Jeff-r-e-y, actually.<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
I am not sure if Nginx is the right place for a tarpit. Tarpitting on<br>
the firewall may be a better solution so nginx can just handle web<br>
traffic.<br>
<br>
Iptables allows you to tarpit connections easily, but you will have to<br>
manage a table of clients you want to slow down. The following rule<br>
will tarpit all connections to port 80.<br>
<br>
iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT<br>
</blockquote><div><br>Let me describe the context of the application of tarpitting so that it becomes clear. I am looking to tarpit only certain connections based on certain criteria (otherwise, of course, why would I even bother to run and use nginx to tarpit, right?).<br>
<br>I intend to use this to tarpit persistent blog spam. I have captchas that work - but still, I'd like to be able to punish these guys - and drive them out of even my logs.<br><br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
PF (openbsd) does not yet have a tarpit ability for standard tcp<br>
connections. Spamd will only work to tarpit mail servers.<br>
<br>
There are also third party apps like LeBrea or HoneyPot that will do<br>
what you want.<br>
</blockquote><div><br>I'm not so sure LaBrea, or HoneyPot can tarpit selectively. Or even if they do, whether they can work in concert with an actual web server (so that they can pass the legal connections onward, and things will still work).<br>
<br>-jf<br><br>--<br clear="all">In the meantime, here is your PSA:<br>"It's so hard to write a graphics driver that open-sourcing it would not help."<br> -- Andrew Fear, Software Product Manager, NVIDIA Corporation<br>
<a href="http://kerneltrap.org/node/7228">http://kerneltrap.org/node/7228</a><br></div></div></div>