OT? -- Banning IP's making high volume of bad requests
Matt Price
moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Sep 19 11:44:09 UTC 2014
Hi folks,
Earlier this week the ubuntu server my courses run on was compromised
and started spammming. I have done some hardening and among
otherthings installed fail2ban and logwatch, then put the server back
up yesterday afternoon.
This morning I woke up to see hundreds of thousands of requests from
2 IPs to a web page that has a known exploit. Here is a log entry:
195.154.136.19 - - [19/Sep/2014:07:33:10 -0400] "POST /xmlrpc.php
HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
6.0)"
I would like to tell fail2ban to block these IP's when this happens --
they aren't doing any damage yet but they account for most of my
bandwith right now and I would rather they not keep me o ntheir 'easy
targets' list. Does anyone know how to do this -- if not with
fail2ban than with some other tool?
Thanks,
Matt
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list