Have you seen this <http://169.229.3.91/>? Up to you if you believe it.
On 08/07/2016 14:13, Mitchell Krog wrote: > Hi all > > I have been noting the following sequence in my nginx logs. > > 169.229.3.91 - - [06/Jul/2016:10:26:00 +0200] > "\xF1)1\xB0\x0E\xD6\xCEOSb`\xE3E\x90\xE1A\xB3\x7F\x8C\x0B\x02\xBF\x05RN\xD0\x87\x8F%=\x83(\x16\x9A\xDF5\x1D\xC8\x81<\x80l\xC6\xD8\xCD9\xA0\xE9\xDF~\xCEC\xFB\xF0\xCB\xB5\xD2\x85I\xAAVT\x98F" > > 400 166 "-" "-" > > A bit of searching led me to the following info about it: > https://www.abuseipdb.com/check/169.229.3.91 > > Nginx generates a 400 error as expected but I would like to be able to > detect these attempts using Fail2Ban and ban it after X attempts. I > would think the best place to add this would be in the > nginx-botsearch.conf or botsearch-common.conf file but I am really not > good with regex at all and will probably break Fail2Ban in the process. > > Anyone have any idea on a regex string to deal with this? Important to > note the string sent is all back slashes \ not the usual / used in url > structures and they also pass lots of special characters in the > string. I DID try myself and came up with this "^<HOST> \- \S+ \[.*] > \"[\\]+.* > " but it does not work (my regex sucks) > > Also very important to note is that Nginx records no GET, POST or HEAD > either. > > And here are some other one's I would also like to be able to detect > and ban. > > 192.99.144.140 - - [08/Jul/2016:14:45:19 +0200] "*PROPFIND* /webdav/ > HTTP/1.1" 301 178 "-" "WEBDAV Client" PORT:80 0.000 - . "-" > > 54.149.78.218 - - [08/Jul/2016:09:38:35 +0200] "*PRI ** HTTP/2.0" 400 > 166 "-" "-" PORT:80 5.005 - . "-" > > Any help? > > Kind Regards > Mitchell > > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
