I use fail2ban on two of my servers. Very nice app. Can ban a "suspect" IP from accessing the service for a period of time e.g. 5 min, 24 hours, etc. And you can also automate permanently banning the IP by adding the rule to iptables.

On Mon, Jan 7, 2013 at 5:01 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
But then a legitimate customer hitting your website using the wrong
url (404s) will be booted. Worse, if you have a dead link and a
customer clicks it N times, they get booted too. Mayhaps the best
thing to do here would be to create a list of known bad urls (You
don't host phpmyadmin... do you?) and regexp match them. Assuming that
a  customer who's trying to access phpmyadmin is up to no good... As
Wash said, Fail2ban is your friend here.

On Mon, Jan 7, 2013 at 3:48 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
> @Karunyu,
>
> So who is a Script Kiddie?
>
> Me things it's wrong to call others that name is you cannot write the good
> scripts <LOL>
>
> Anyway, I can suggest you use fail2ban - I haven't used it, but from what
> I've cursorily read, it's trivial to setup to look at your log and add the
> IPs to a firewall listing. I guess it uses some regexps crafted from values
> it can glean from a log file.
> Again, I haven't read so much about it, but try it out.
>
>
> On Mon, Jan 7, 2013 at 4:30 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
>>
>> Good people, I seek enlightenment on the following issue:
>>
>> I have a Linux server hosting a LAMP app which is accessed by a controlled
>> group of users.
>>
>> I am using an aggressive version of the 5G htaccess based application
>> level firewall from http://perishablepress.com/5g-blacklist-2012/.
>>
>> Every so often, I check the Apache error logs and there are these IP
>> addresses attempting to access non-existent URLs on the server. I assume
>> these are script kiddies, no?
>>
>> So, I would like to write a script or something which will automatically
>> block an IP address from accessing my server if the said IP address accesses
>> more than 3 non-existent URLs on my server.
>>
>> Can someone please point me in the right direction?
>>
>> Example of URLs being accessed are:
>> 3 [Sun Jan 06 08:02:11 2013] [error] [client 96.254.171.2] client denied
>> by server configuration: /var/www/headers
>> 4 [Sun Jan 06 11:53:23 2013] [error] [client 218.107.247.254] client
>> denied by server configuration: /var/www/
>> 5 [Sun Jan 06 22:37:31 2013] [error] [client 77.221.148.82] client denied
>> by server configuration: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:)
>> 6 [Sun Jan 06 22:37:31 2013] [error] [client 77.221.148.82] client denied
>> by server configuration: /var/www/phpMyAdmin
>> 7 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied
>> by server configuration: /var/www/phpmyadmin
>> 8 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied
>> by server configuration: /var/www/pma
>> 9 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied
>> by server configuration: /var/www/myadmin
>> 10 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied
>> by server configuration: /var/www/MyAdmin
>> 11 [Mon Jan 07 07:47:44 2013] [error] [client 96.254.171.2] client denied
>> by server configuration: /var/www/headers
>> 12 [Mon Jan 07 08:37:14 2013] [error] [client 96.254.171.2] client denied
>> by server configuration: /var/www/headers
>> 26 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/install.txt
>> 27 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/cart
>> 28 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/zencart
>> 29 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/zen-cart
>> 30 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/zen
>> 31 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/shop
>> 32 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/butik
>> 33 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/zcart
>> 34 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/shop2
>> 35 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/catalog
>> 36 [Thu Jan 03 21:30:15 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/boutique
>> 37 [Thu Jan 03 21:30:15 2013] [error] [client 64.34.163.23] client denied
>> by server configuration: /var/www/store
>> 38 [Fri Jan 04 01:39:34 2013] [error] [client 69.61.23.106] client sent
>> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
>> /w00tw00t.at.ISC.SANS.DFind:)
>> 39 [Fri Jan 04 01:39:34 2013] [error] [client 69.61.23.106] client sent
>> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
>> /w00tw00t.at.ISC.SANS.DFind:)
>> 40 [Fri Jan 04 02:05:48 2013] [error] [client 96.254.171.2] client denied
>> by server configuration: /var/www/headers
>> 43 [Sat Jan 05 02:15:25 2013] [error] [client 62.193.243.32] client sent
>> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
>> /w00tw00t.at.ISC.SANS.DFind:)
>> 44 [Sat Jan 05 02:15:25 2013] [error] [client 62.193.243.32] client sent
>> HTTP/1.1 request without hostname (see RFC2616 section 14.23):
>> /w00tw00t.at.ISC.SANS.DFind:)
>> 45 [Sat Jan 05 05:06:04 2013] [error] [client 96.254.171.2] client denied
>> by server configuration: /var/www/headers
>> 47 [Sun Jan 06 02:32:21 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/muieblackcat
>> 48 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/index.php
>> 49 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/admin
>> 50 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/admin
>> 51 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/admin
>> 52 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/db
>> 53 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/dbadmin
>> 54 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/myadmin
>> 55 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/mysql
>> 56 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/mysqladmin
>> 57 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/typo3
>> 58 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/phpadmin
>> 59 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/phpMyAdmin
>> 60 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/phpmyadmin
>> 61 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/phpmyadmin1
>> 62 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/phpmyadmin2
>> 63 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client
>> denied by server configuration: /var/www/pma
>>
>>
>> _______________________________________________
>> skunkworks mailing list
>> skunkworks@lists.my.co.ke
>> ------------
>> List info, subscribe/unsubscribe
>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>> ------------
>>
>> Skunkworks Rules
>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> ------------
>> Other services @ http://my.co.ke
>
>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> I can't hear you -- I'm using the scrambler.
>
> _______________________________________________
> skunkworks mailing list
> skunkworks@lists.my.co.ke
> ------------
> List info, subscribe/unsubscribe
> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
> ------------
>
> Skunkworks Rules
> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
> ------------
> Other services @ http://my.co.ke
_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke



--
Regards

Brian Ngure