Thank Dudi, I did see the IP is legit but I am still rather intrigued to find out what that string is and what it's intended to find. Maybe they will reply to my email one day, I'n not worried about it just interested.
Kind Regards Mitchell On 2016/07/08 5:58 PM, Dudi Goldenberg wrote: > Looks legit, the IP resolves to researchscan1.EECS.Berkeley.EDU > > D. > > Have you seen this <http://169.229.3.91/>? Up to you if you believe it. > > On 08/07/2016 14:13, Mitchell Krog wrote: >> Hi all >> >> I have been noting the following sequence in my nginx logs. >> >> 169.229.3.91 - - [06/Jul/2016:10:26:00 +0200] >> "\xF1)1\xB0\x0E\xD6\xCEOSb`\xE3E\x90\xE1A\xB3\x7F\x8C\x0B\x02\xBF\x05RN\xD0\x87\x8F%=\x83(\x16\x9A\xDF5\x1D\xC8\x81<\x80l\xC6\xD8\xCD9\xA0\xE9\xDF~\xCEC\xFB\xF0\xCB\xB5\xD2\x85I\xAAVT\x98F" >> 400 166 "-" "-" >> >> A bit of searching led me to the following info about it: >> https://www.abuseipdb.com/check/169.229.3.91 >> >> Nginx generates a 400 error as expected but I would like to be able to >> detect these attempts using Fail2Ban and ban it after X attempts. I >> would think the best place to add this would be in the >> nginx-botsearch.conf or botsearch-common.conf file but I am really not >> good with regex at all and will probably break Fail2Ban in the process. >> >> Anyone have any idea on a regex string to deal with this? Important to >> note the string sent is all back slashes \ not the usual / used in url >> structures and they also pass lots of special characters in the >> string. I DID try myself and came up with this "^<HOST> \- \S+ \[.*] >> \"[\\]+.* >> " but it does not work (my regex sucks) >> >> Also very important to note is that Nginx records no GET, POST or HEAD >> either. >> >> And here are some other one's I would also like to be able to detect >> and ban. >> >> 192.99.144.140 - - [08/Jul/2016:14:45:19 +0200] "*PROPFIND* /webdav/ >> HTTP/1.1" 301 178 "-" "WEBDAV Client" PORT:80 0.000 - . "-" >> >> 54.149.78.218 - - [08/Jul/2016:09:38:35 +0200] "*PRI ** HTTP/2.0" 400 >> 166 "-" "-" PORT:80 5.005 - . "-" >> >> Any help? >> >> Kind Regards >> Mitchell >> >> >> >> >> ---------------------------------------------------------------------- >> -------- Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T >> Park in San Francisco, CA to explore cutting-edge tech and listen to >> tech luminaries present their vision of the future. This family event >> has something for everyone, including kids. Get more information and >> register today. >> http://sdm.link/attshape >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
