Fwd:OT? -- Banning IP's making high volume of bad requests
Matt Price
moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Sep 19 15:35:50 UTC 2014
Thanks Everyone. David, that's exactly right. The regex at that site
didn't work for me but I have cobbled together something that at least
seems to work (for future readers):
failregex = ^.+\[access_compat:error\].+\[client <HOST>(:\d{1,5})?\]
AH01797: client denied by server configuration
This matches the apache error logs:
[Fri Sep 19 11:08:21.508051 2014] [access_compat:error] [pid 14436]
[client 93.158.202.49:50774] AH01797: client denied by server
configuration: /var/www/2014.hackinghistory.ca/xmlrpc.php
fail2ban is not banning those hosts in the appropriate way. I think
it could be prettier but works for now.
phew, thank you.
m
---------- Forwarded message ----------
From: David Thornton <northdot9-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Date: Fri, Sep 19, 2014 at 9:57 AM
Subject: Re: [TLUG]: OT? -- Banning IP's making high volume of bad requests
To: tlug-lxSQFCZeNF4 at public.gmane.org
I think you guys are missing the point. He want to tell fail2ban : if
ip x asks for url y ban it on the firewall.
I googled "fail2ban http request to firewall" and got a direct hit ,
you sunk my battleship.
http://serverfault.com/questions/416926/automatically-block-ip-who-requests-certain-url
David
On Fri, Sep 19, 2014 at 9:20 AM, Myles Braithwaite
<me-qIX3qoPyADtH8hdXm2+x1laTQe2KTcn/@public.gmane.org> wrote:
>
> The easiest option is to add the IP address to your`/etc/hosts.deny` file. This will block them from accessing your server indefinitely (so check and make sure they aren't coming from a public access point that your users are likely to use).
>
> > On Sep 19, 2014, at 7:44 AM, Matt Price <moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> >
> > Hi folks,
> >
> > Earlier this week the ubuntu server my courses run on was compromised
> > and started spammming. I have done some hardening and among
> > otherthings installed fail2ban and logwatch, then put the server back
> > up yesterday afternoon.
> >
> > This morning I woke up to see hundreds of thousands of requests from
> > 2 IPs to a web page that has a known exploit. Here is a log entry:
> >
> > 195.154.136.19 - - [19/Sep/2014:07:33:10 -0400] "POST /xmlrpc.php
> > HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
> > 6.0)"
> >
> > I would like to tell fail2ban to block these IP's when this happens --
> > they aren't doing any damage yet but they account for most of my
> > bandwith right now and I would rather they not keep me o ntheir 'easy
> > targets' list. Does anyone know how to do this -- if not with
> > fail2ban than with some other tool?
> >
> > Thanks,
> >
> > Matt
> > --
> > The Toronto Linux Users Group. Meetings: http://gtalug.org/
> > TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> > How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list