Re: [Fail2ban-users] Block Flood Attack

Mohd Zainal Abidin Fri, 15 Jul 2016 02:41:18 -0700

I'm using http prefork.

On Fri, Jul 15, 2016 at 5:34 PM, Mohd Zainal Abidin <[email protected]>
wrote:


> I'm not sure should block or not but if full path got other site there.
>
> On Fri, Jul 15, 2016 at 5:32 PM, Alan Liddell <[email protected]>
> wrote:
>
>> If that's the verbatim output of your log, I'm pretty sure you'd have to
>> reconfigure how your web server writes its logs. Per the manual:
>>
>>
>>    - In order for a log line to match your failregex, it actually has to
>>    match in two parts: *the beginning of the line has to match a
>>    timestamp pattern or regex*, and the remainder of the line has to
>>    match your failregex. If the failregex is anchored with a leading ^,
>>    then the anchor refers to the start of the remainder of the line,
>>    *after* the timestamp and intervening whitespace
>>
>> Then if this pattern isn't in the usual filters, you'd have to create one
>> yourself. So if you rearranged it to output something like
>>
>> [15/Jul/2016:10:03:44 +0800] 27.111.213.117 "GET /2012/12/ HTTP/1.1" 200
>> 72434 "-" "Mozilla/4.0 (compatible;)"
>>
>> this regex should match it:
>>
>> ^ <HOST> \"(GET|POST) \/\S+ HTTP\/1\.1\" \d+? \d+? \"-\" \"Mozilla\/4\.0
>> \(compatible;\)\"$
>>
>> Not sure if the timestamp format is recognized. Maybe someone else can
>> chime in on this one?
>>
>> On Fri, Jul 15, 2016 at 3:07 AM, Mohd Zainal Abidin <[email protected]
>> > wrote:
>>
>>> Hi,
>>>
>>> How to block this kind of attack?
>>>
>>> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /2014/07/ HTTP/1.1"
>>> 200 70977 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:27 +0800] "GET /2007/05/ HTTP/1.1"
>>> 200 62797 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:33 +0800] "GET /2014/06/ HTTP/1.1"
>>> 200 72461 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:28 +0800] "GET /2006/12/ HTTP/1.1"
>>> 200 65124 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:34 +0800] "GET /2014/05/ HTTP/1.1"
>>> 200 72931 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:34 +0800] "GET /2014/04/ HTTP/1.1"
>>> 200 70848 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /xmlrpc.php?rsd
>>> HTTP/1.1" 200 866 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:36 +0800] "GET /2014/02/ HTTP/1.1"
>>> 200 69820 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:36 +0800] "GET /2014/01/ HTTP/1.1"
>>> 200 74012 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2013/12/ HTTP/1.1"
>>> 200 74001 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2007/10/page/2/
>>> HTTP/1.1" 200 63882 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2008/05/page/2/
>>> HTTP/1.1" 200 63703 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2008/04/page/2/
>>> HTTP/1.1" 200 64863 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2008/06/page/2/
>>> HTTP/1.1" 200 64089 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2007/12/page/2/
>>> HTTP/1.1" 200 63587 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:29 +0800] "GET /2014/12/ HTTP/1.1"
>>> 200 73272 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:31 +0800] "GET /2006/11/ HTTP/1.1"
>>> 200 64642 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2013/11/ HTTP/1.1"
>>> 200 68957 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:31 +0800] "GET /2006/09/ HTTP/1.1"
>>> 200 64719 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:38 +0800] "GET /2008/01/page/2/
>>> HTTP/1.1" 200 62711 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:38 +0800] "GET /2013/10/ HTTP/1.1"
>>> 200 70712 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2008/02/page/2/
>>> HTTP/1.1" 200 64719 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2007/11/page/2/
>>> HTTP/1.1" 200 64808 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2013/09/ HTTP/1.1"
>>> 200 68252 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /2014/08/ HTTP/1.1"
>>> 200 69468 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2013/08/ HTTP/1.1"
>>> 200 67360 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:41 +0800] "GET /2013/07/ HTTP/1.1"
>>> 200 70473 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:41 +0800] "GET /2013/06/ HTTP/1.1"
>>> 200 72604 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:35 +0800] "GET /2014/03/ HTTP/1.1"
>>> 200 68842 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2013/05/ HTTP/1.1"
>>> 200 74481 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2007/09/page/2/
>>> HTTP/1.1" 200 65605 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2007/07/page/2/
>>> HTTP/1.1" 200 64613 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2007/08/page/2/
>>> HTTP/1.1" 200 64851 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2007/04/page/2/
>>> HTTP/1.1" 200 65041 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2007/06/page/2/
>>> HTTP/1.1" 200 65219 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2007/03/page/2/
>>> HTTP/1.1" 200 66625 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2013/03/ HTTP/1.1"
>>> 200 69079 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET /2007/01/page/2/
>>> HTTP/1.1" 200 65362 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET /2013/02/ HTTP/1.1"
>>> 200 71130 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET /2007/02/page/2/
>>> HTTP/1.1" 200 65625 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET /2006/10/page/2/
>>> HTTP/1.1" 200 64309 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET /2013/01/ HTTP/1.1"
>>> 200 73073 "-" "Mozilla/4.0 (compatible;)"
>>> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET /2012/12/ HTTP/1.1"
>>> 200 72434 "-" "Mozilla/4.0 (compatible;)"
>>>
>>> We getting this kind of attack from different ip last night. Our website
>>> load goes to 100 and it become slow to response.
>>>
>>> --
>>> Thank you
>>> ______________________
>>>
>>> Mohd Zainal Abidin
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>>> traffic
>>> patterns at an interface-level. Reveals which users, apps, and protocols
>>> are
>>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>>> planning
>>> reports.http://sdm.link/zohodev2dev
>>> _______________________________________________
>>> Fail2ban-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>>
>>>
>>
>>
>> --
>> ACL
>>
>
>
>
> --
> Thank you
> ______________________
>
> Mohd Zainal Abidin
>



-- 
Thank you
______________________

Mohd Zainal Abidin

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Block Flood Attack

Reply via email to