OT? -- Banning IP's making high volume of bad requests

Matt Price moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Sep 19 15:38:32 UTC 2014 

...is NOW banning!....

On Fri, Sep 19, 2014 at 11:35 AM, Matt Price <moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> Thanks Everyone.  David, that's exactly right.  The regex at that site
> didn't work for me but I have cobbled together something that at least
> seems to work (for future readers):
>
> failregex = ^.+\[access_compat:error\].+\[client <HOST>(:\d{1,5})?\]
> AH01797: client denied by server configuration
>
> This matches the apache error logs:
>
> [Fri Sep 19 11:08:21.508051 2014] [access_compat:error] [pid 14436]
> [client 93.158.202.49:50774] AH01797: client denied by server
> configuration: /var/www/2014.hackinghistory.ca/xmlrpc.php
>
> fail2ban is not banning those hosts in the appropriate way.  I think
> it could be prettier but works for now.
> phew, thank you.
>
> m
>
> ---------- Forwarded message ----------
> From: David Thornton <northdot9-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
> Date: Fri, Sep 19, 2014 at 9:57 AM
> Subject: Re: [TLUG]: OT? -- Banning IP's making high volume of bad requests
> To: tlug-lxSQFCZeNF4 at public.gmane.org
>
>
> I think you guys are missing the point. He want to tell fail2ban : if
> ip x asks for url y ban it on the firewall.
>
> I googled "fail2ban http request to firewall" and got a direct hit ,
> you sunk my battleship.
>
> http://serverfault.com/questions/416926/automatically-block-ip-who-requests-certain-url
>
> David
>
> On Fri, Sep 19, 2014 at 9:20 AM, Myles Braithwaite
> <me-qIX3qoPyADtH8hdXm2+x1laTQe2KTcn/@public.gmane.org> wrote:
>>
>> The easiest option is to add the IP address to your`/etc/hosts.deny` file. This will block them from accessing your server indefinitely (so check and make sure they aren't coming from a public access point that your users are likely to use).
>>
>> > On Sep 19, 2014, at 7:44 AM, Matt Price <moptop99-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
>> >
>> > Hi folks,
>> >
>> > Earlier this week the ubuntu server my courses run on was compromised
>> > and started spammming.  I have done some hardening and among
>> > otherthings installed fail2ban and logwatch, then put the server back
>> > up yesterday afternoon.
>> >
>> > This morning I woke up to see  hundreds of thousands of requests from
>> > 2 IPs to a web page that has a known exploit.  Here is a log entry:
>> >
>> > 195.154.136.19 - - [19/Sep/2014:07:33:10 -0400] "POST /xmlrpc.php
>> > HTTP/1.0" 403 470 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT
>> > 6.0)"
>> >
>> > I would like to tell fail2ban to block these IP's when this happens --
>> > they aren't doing any damage yet but they account for most of my
>> > bandwith right now and I would rather they not keep me o ntheir 'easy
>> > targets' list.  Does anyone know how to do this -- if not with
>> > fail2ban than with some other tool?
>> >
>> > Thanks,
>> >
>> > Matt
>> > --
>> > The Toronto Linux Users Group.      Meetings: http://gtalug.org/
>> > TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>> > How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>> --
>> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
>> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
>> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list