OT? -- Banning IP's making high volume of bad requests
Kevin Cozens
kevin-4dS5u2o1hCn3fQ9qLvQP4Q at public.gmane.org
Fri Sep 19 16:04:27 UTC 2014
On 19/09/2014 7:44 AM, Matt Price wrote:
> This morning I woke up to see hundreds of thousands of requests from
> 2 IPs to a web page that has a known exploit. Here is a log entry:
[snip]
> I would like to tell fail2ban to block these IP's when this happens --
> they aren't doing any damage yet but they account for most of my
> bandwith right now and I would rather they not keep me o ntheir 'easy
> targets' list. Does anyone know how to do this -- if not with
> fail2ban than with some other tool?
If fail2ban isn't banning the IPs automatically I can't think of another
tool that would do the job. One option would be to use the Apache error page
URLs to have a PHP based page come up which could add the offending IP to
the firewall with a DROP rule.
When I have had to do this in the past I have added a static route to a
non-existant IP address. Later I added the IP to hosts.deny. These days I
would add a rule in iptables to drop traffic from the offending IP address.
--
Cheers!
Kevin.
http://www.ve3syb.ca/ |"Nerds make the shiny things that distract
Owner of Elecraft K2 #2172 | the mouth-breathers, and that's why we're
| powerful!"
#include <disclaimer/favourite> | --Chris Hardwick
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list