@Brian, thanks! I will definitely give it a try On Mon, Jan 7, 2013 at 5:18 PM, Brian Ngure <brian@pixie.co.ke> wrote:
I use fail2ban on two of my servers. Very nice app. Can ban a "suspect" IP from accessing the service for a period of time e.g. 5 min, 24 hours, etc. And you can also automate permanently banning the IP by adding the rule to iptables.
On Mon, Jan 7, 2013 at 5:01 PM, Laban Mwangi <lmwangi@gmail.com> wrote:
But then a legitimate customer hitting your website using the wrong url (404s) will be booted. Worse, if you have a dead link and a customer clicks it N times, they get booted too. Mayhaps the best thing to do here would be to create a list of known bad urls (You don't host phpmyadmin... do you?) and regexp match them. Assuming that a customer who's trying to access phpmyadmin is up to no good... As Wash said, Fail2ban is your friend here.
On Mon, Jan 7, 2013 at 3:48 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:
@Karunyu,
So who is a Script Kiddie?
Me things it's wrong to call others that name is you cannot write the good scripts <LOL>
Anyway, I can suggest you use fail2ban - I haven't used it, but from what I've cursorily read, it's trivial to setup to look at your log and add the IPs to a firewall listing. I guess it uses some regexps crafted from values it can glean from a log file. Again, I haven't read so much about it, but try it out.
On Mon, Jan 7, 2013 at 4:30 PM, Peter Karunyu <pkarunyu@gmail.com> wrote:
Good people, I seek enlightenment on the following issue:
I have a Linux server hosting a LAMP app which is accessed by a
controlled
group of users.
I am using an aggressive version of the 5G htaccess based application level firewall from http://perishablepress.com/5g-blacklist-2012/.
Every so often, I check the Apache error logs and there are these IP addresses attempting to access non-existent URLs on the server. I assume these are script kiddies, no?
So, I would like to write a script or something which will automatically block an IP address from accessing my server if the said IP address accesses more than 3 non-existent URLs on my server.
Can someone please point me in the right direction?
Example of URLs being accessed are: 3 [Sun Jan 06 08:02:11 2013] [error] [client 96.254.171.2] client denied by server configuration: /var/www/headers 4 [Sun Jan 06 11:53:23 2013] [error] [client 218.107.247.254] client denied by server configuration: /var/www/ 5 [Sun Jan 06 22:37:31 2013] [error] [client 77.221.148.82] client denied by server configuration: /var/www/w00tw00t.at.blackhats.romanian.anti-sec:) 6 [Sun Jan 06 22:37:31 2013] [error] [client 77.221.148.82] client denied by server configuration: /var/www/phpMyAdmin 7 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied by server configuration: /var/www/phpmyadmin 8 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied by server configuration: /var/www/pma 9 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied by server configuration: /var/www/myadmin 10 [Sun Jan 06 22:37:32 2013] [error] [client 77.221.148.82] client denied by server configuration: /var/www/MyAdmin 11 [Mon Jan 07 07:47:44 2013] [error] [client 96.254.171.2] client denied by server configuration: /var/www/headers 12 [Mon Jan 07 08:37:14 2013] [error] [client 96.254.171.2] client denied by server configuration: /var/www/headers 26 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/install.txt 27 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/cart 28 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/zencart 29 [Thu Jan 03 21:30:13 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/zen-cart 30 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/zen 31 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/shop 32 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/butik 33 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/zcart 34 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/shop2 35 [Thu Jan 03 21:30:14 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/catalog 36 [Thu Jan 03 21:30:15 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/boutique 37 [Thu Jan 03 21:30:15 2013] [error] [client 64.34.163.23] client denied by server configuration: /var/www/store 38 [Fri Jan 04 01:39:34 2013] [error] [client 69.61.23.106] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) 39 [Fri Jan 04 01:39:34 2013] [error] [client 69.61.23.106] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) 40 [Fri Jan 04 02:05:48 2013] [error] [client 96.254.171.2] client denied by server configuration: /var/www/headers 43 [Sat Jan 05 02:15:25 2013] [error] [client 62.193.243.32] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) 44 [Sat Jan 05 02:15:25 2013] [error] [client 62.193.243.32] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:) 45 [Sat Jan 05 05:06:04 2013] [error] [client 96.254.171.2] client denied by server configuration: /var/www/headers 47 [Sun Jan 06 02:32:21 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/muieblackcat 48 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/index.php 49 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/admin 50 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/admin 51 [Sun Jan 06 02:32:22 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/admin 52 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/db 53 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/dbadmin 54 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/myadmin 55 [Sun Jan 06 02:32:23 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/mysql 56 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/mysqladmin 57 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/typo3 58 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/phpadmin 59 [Sun Jan 06 02:32:24 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/phpMyAdmin 60 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/phpmyadmin 61 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/phpmyadmin1 62 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/phpmyadmin2 63 [Sun Jan 06 02:32:25 2013] [error] [client 87.106.183.231] client denied by server configuration: /var/www/pma
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ I can't hear you -- I'm using the scrambler.
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards
Brian Ngure
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
-- Regards, Peter Karunyu -------------------