Silly question without my system in front of me to check, but is that from your access log? Do you have a separate error log and do these requests pop up there? My error log is natively in a completely different format and good for fail2ban rules.
Nick On 2016-07-15 10:39, Mohd Zainal Abidin wrote: > I'm using http prefork. > > On Fri, Jul 15, 2016 at 5:34 PM, Mohd Zainal Abidin > <[email protected]> wrote: > >> I'm not sure should block or not but if full path got other site >> there. >> >> On Fri, Jul 15, 2016 at 5:32 PM, Alan Liddell >> <[email protected]> wrote: >> >> If that's the verbatim output of your log, I'm pretty sure you'd >> have to reconfigure how your web server writes its logs. Per the >> manual: >> >> * In order for a log line to match your failregex, it actually has >> to match in two parts: THE BEGINNING OF THE LINE HAS TO MATCH A >> TIMESTAMP PATTERN OR REGEX, and the remainder of the line has to >> match your failregex. If the failregex is anchored with a leading ^, >> then the anchor refers to the start of the remainder of the line, >> _after_ the timestamp and intervening whitespace >> >> Then if this pattern isn't in the usual filters, you'd have to >> create one yourself. So if you rearranged it to output something >> like >> [15/Jul/2016:10:03:44 +0800] 27.111.213.117 "GET /2012/12/ HTTP/1.1" >> 200 72434 "-" "Mozilla/4.0 (compatible;)" >> >> this regex should match it: >> >> ^ <HOST> "(GET|POST) /S+ HTTP/1.1" d+? d+? "-" "Mozilla/4.0 >> (compatible;)"$ >> >> Not sure if the timestamp format is recognized. Maybe someone else >> can chime in on this one? >> >> On Fri, Jul 15, 2016 at 3:07 AM, Mohd Zainal Abidin >> <[email protected]> wrote: >> >> Hi, >> >> How to block this kind of attack? >> >> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /2014/07/ >> HTTP/1.1" 200 70977 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:27 +0800] "GET /2007/05/ >> HTTP/1.1" 200 62797 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:33 +0800] "GET /2014/06/ >> HTTP/1.1" 200 72461 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:28 +0800] "GET /2006/12/ >> HTTP/1.1" 200 65124 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:34 +0800] "GET /2014/05/ >> HTTP/1.1" 200 72931 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:34 +0800] "GET /2014/04/ >> HTTP/1.1" 200 70848 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /xmlrpc.php?rsd >> HTTP/1.1" 200 866 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:36 +0800] "GET /2014/02/ >> HTTP/1.1" 200 69820 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:36 +0800] "GET /2014/01/ >> HTTP/1.1" 200 74012 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2013/12/ >> HTTP/1.1" 200 74001 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET >> /2007/10/page/2/ HTTP/1.1" 200 63882 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET >> /2008/05/page/2/ HTTP/1.1" 200 63703 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET >> /2008/04/page/2/ HTTP/1.1" 200 64863 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET >> /2008/06/page/2/ HTTP/1.1" 200 64089 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET >> /2007/12/page/2/ HTTP/1.1" 200 63587 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:29 +0800] "GET /2014/12/ >> HTTP/1.1" 200 73272 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:31 +0800] "GET /2006/11/ >> HTTP/1.1" 200 64642 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2013/11/ >> HTTP/1.1" 200 68957 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:31 +0800] "GET /2006/09/ >> HTTP/1.1" 200 64719 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:38 +0800] "GET >> /2008/01/page/2/ HTTP/1.1" 200 62711 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:38 +0800] "GET /2013/10/ >> HTTP/1.1" 200 70712 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET >> /2008/02/page/2/ HTTP/1.1" 200 64719 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET >> /2007/11/page/2/ HTTP/1.1" 200 64808 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2013/09/ >> HTTP/1.1" 200 68252 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /2014/08/ >> HTTP/1.1" 200 69468 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2013/08/ >> HTTP/1.1" 200 67360 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:41 +0800] "GET /2013/07/ >> HTTP/1.1" 200 70473 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:41 +0800] "GET /2013/06/ >> HTTP/1.1" 200 72604 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:35 +0800] "GET /2014/03/ >> HTTP/1.1" 200 68842 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2013/05/ >> HTTP/1.1" 200 74481 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET >> /2007/09/page/2/ HTTP/1.1" 200 65605 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET >> /2007/07/page/2/ HTTP/1.1" 200 64613 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET >> /2007/08/page/2/ HTTP/1.1" 200 64851 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET >> /2007/04/page/2/ HTTP/1.1" 200 65041 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET >> /2007/06/page/2/ HTTP/1.1" 200 65219 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET >> /2007/03/page/2/ HTTP/1.1" 200 66625 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2013/03/ >> HTTP/1.1" 200 69079 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET >> /2007/01/page/2/ HTTP/1.1" 200 65362 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET /2013/02/ >> HTTP/1.1" 200 71130 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET >> /2007/02/page/2/ HTTP/1.1" 200 65625 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET >> /2006/10/page/2/ HTTP/1.1" 200 64309 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET /2013/01/ >> HTTP/1.1" 200 73073 "-" "Mozilla/4.0 (compatible;)" >> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET /2012/12/ >> HTTP/1.1" 200 72434 "-" "Mozilla/4.0 (compatible;)" >> >> We getting this kind of attack from different ip last night. Our >> website load goes to 100 and it become slow to response. >> >> -- >> >> Thank you >> ______________________ >> >> Mohd Zainal Abidin >> >> > ------------------------------------------------------------------------------ >> What NetFlow Analyzer can do for you? Monitors network bandwidth >> and traffic >> patterns at an interface-level. Reveals which users, apps, and >> protocols are >> consuming the most bandwidth. Provides multi-vendor support for >> NetFlow, >> J-Flow, sFlow and other flows. Make informed decisions using >> capacity planning >> reports.http://sdm.link/zohodev2dev [1] >> _______________________________________________ >> Fail2ban-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users [2] >> >> -- >> >> ACL > > -- > > Thank you > ______________________ > > Mohd Zainal Abidin > > -- > > Thank you > ______________________ > > Mohd Zainal Abidin > > > Links: > ------ > [1] http://sdm.link/zohodev2dev > [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and > protocols are > consuming the most bandwidth. Provides multi-vendor support for > NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning > reports.http://sdm.link/zohodev2dev > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports.http://sdm.link/zohodev2dev _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
