OT? -- Banning IP's making high volume of bad requests

Myles Braithwaite me-qIX3qoPyADtH8hdXm2+x1laTQe2KTcn/ at public.gmane.org
Fri Sep 19 13:20:40 UTC 2014


The easiest option is to add the IP address to your`/etc/hosts.deny` file. This will block them from accessing your server indefinitely (so check and make sure they aren't coming from a public access point that your users are likely to use).

> On Sep 19, 2014, at 7:44 AM, Matt Price <moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> 
> Hi folks,
> 
> Earlier this week the ubuntu server my courses run on was compromised
> and started spammming.  I have done some hardening and among
> otherthings installed fail2ban and logwatch, then put the server back
> up yesterday afternoon.
> 
> This morning I woke up to see  hundreds of thousands of requests from
> 2 IPs to a web page that has a known exploit.  Here is a log entry:
> 
> 195.154.136.19 - - [19/Sep/2014:07:33:10 -0400] "POST /xmlrpc.php
> HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> 6.0)"
> 
> I would like to tell fail2ban to block these IP's when this happens --
> they aren't doing any damage yet but they account for most of my
> bandwith right now and I would rather they not keep me o ntheir 'easy
> targets' list.  Does anyone know how to do this -- if not with
> fail2ban than with some other tool?
> 
> Thanks,
> 
> Matt
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list