error.log
[Mon Apr 29 20:17:54 2013] [error] [client 50.63.136.60] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.test0:)
acess.log
50.63.136.60 - - [29/Apr/2013:20:17:54 +0200] "GET /w00tw00t.at.ISC.SANS.test0:) HTTP/1.1" 400 523 "-" "-"Считаем
# grep "w00tw00t.at.ISC.SANS" /var/log/apache2/access.log | awk '{ print $1}' | sort | uniq -cЭто привет от DFind Scanner и кулцацкеров.
1 42.121.99.77
85 50.63.136.60
3 81.161.248.17
1 87.98.227.69
3 94.23.26.88
Ну, Fail2ban нам поможет.
У меня UFW, так что
action.d/ufw-all.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from
actionunban = ufw delete deny from
И сам банхаммер:
jail.conf
[apache-w00tw00t]
enabled = true
port = http,https
filter = apache-w00tw00t
logpath = /var/log/apache*/*error.log
maxretry = 3
bantime = 86400
filter.d/apache-w00tw00t.conf
[Definition]
failregex = [[]client[]] .*w00tw00t.at.ISC.SANS..*
ignoreregex =
И проверяем:
# fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-w00tw00t.conf
...
Success, the total number of match is 98
...
Рестарт
# /etc/init.d/fail2ban restartИ вроде всё.
Комментариев нет:
Отправить комментарий