OT? -- Banning IP's making high volume of bad requests

David Thornton northdot9-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Sep 19 13:57:10 UTC 2014


I think you guys are missing the point. He want to tell fail2ban : if ip x
asks for url y ban it on the firewall.

I googled "fail2ban http request to firewall" and got a direct hit , you
sunk my battleship.

http://serverfault.com/questions/416926/automatically-block-ip-who-requests-certain-url

David

On Fri, Sep 19, 2014 at 9:20 AM, Myles Braithwaite <me-qIX3qoPyADtH8hdXm2+x1laTQe2KTcn/@public.gmane.org>
wrote:

> The easiest option is to add the IP address to your`/etc/hosts.deny` file.
> This will block them from accessing your server indefinitely (so check and
> make sure they aren't coming from a public access point that your users are
> likely to use).
>
> > On Sep 19, 2014, at 7:44 AM, Matt Price <moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> >
> > Hi folks,
> >
> > Earlier this week the ubuntu server my courses run on was compromised
> > and started spammming.  I have done some hardening and among
> > otherthings installed fail2ban and logwatch, then put the server back
> > up yesterday afternoon.
> >
> > This morning I woke up to see  hundreds of thousands of requests from
> > 2 IPs to a web page that has a known exploit.  Here is a log entry:
> >
> > 195.154.136.19 - - [19/Sep/2014:07:33:10 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> > 6.0)"
> >
> > I would like to tell fail2ban to block these IP's when this happens --
> > they aren't doing any damage yet but they account for most of my
> > bandwith right now and I would rather they not keep me o ntheir 'easy
> > targets' list.  Does anyone know how to do this -- if not with
> > fail2ban than with some other tool?
> >
> > Thanks,
> >
> > Matt
> > --
> > The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> > TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> > How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20140919/058c7448/attachment.html>


More information about the Legacy mailing list