Re: [Fail2ban-users] Block Flood Attack

Mohd Zainal Abidin Fri, 15 Jul 2016 03:09:06 -0700

I will get from apache log. Grep only those related IP.

On Fri, Jul 15, 2016 at 6:02 PM, Mitchell Krog <[email protected]>
wrote:


> Hi Nick
>
> Would you mind greatly sharing your log format when you are back at your
> system? Would be interested to see what works better for you on Apache.
>
> My log format is very much the same as the OP and I often wonder why
> Fail2Ban doesn't pick up certain things to do with Apache.
>
> Kind Regards
> Mitch
>
>
> On 2016/07/15 11:48 AM, Nick Howitt wrote:
> > Silly question without my system in front of me to check, but is that
> > from your access log? Do you have a separate error log and do these
> > requests pop up there? My error log is natively in a completely
> > different format and good for fail2ban rules.
> >
> > Nick
> >
> > On 2016-07-15 10:39, Mohd Zainal Abidin wrote:
> >> I'm using http prefork.
> >>
> >> On Fri, Jul 15, 2016 at 5:34 PM, Mohd Zainal Abidin
> >> <[email protected]> wrote:
> >>
> >>> I'm not sure should block or not but if full path got other site
> >>> there.
> >>>
> >>> On Fri, Jul 15, 2016 at 5:32 PM, Alan Liddell
> >>> <[email protected]> wrote:
> >>>
> >>> If that's the verbatim output of your log, I'm pretty sure you'd
> >>> have to reconfigure how your web server writes its logs. Per the
> >>> manual:
> >>>
> >>> * In order for a log line to match your failregex, it actually has
> >>> to match in two parts: THE BEGINNING OF THE LINE HAS TO MATCH A
> >>> TIMESTAMP PATTERN OR REGEX, and the remainder of the line has to
> >>> match your failregex. If the failregex is anchored with a leading ^,
> >>> then the anchor refers to the start of the remainder of the line,
> >>> _after_ the timestamp and intervening whitespace
> >>>
> >>> Then if this pattern isn't in the usual filters, you'd have to
> >>> create one yourself. So if you rearranged it to output something
> >>> like
> >>> [15/Jul/2016:10:03:44 +0800] 27.111.213.117 "GET /2012/12/ HTTP/1.1"
> >>> 200 72434 "-" "Mozilla/4.0 (compatible;)"
> >>>
> >>> this regex should match it:
> >>>
> >>> ^ <HOST> "(GET|POST) /S+ HTTP/1.1" d+? d+? "-" "Mozilla/4.0
> >>> (compatible;)"$
> >>>
> >>> Not sure if the timestamp format is recognized. Maybe someone else
> >>> can chime in on this one?
> >>>
> >>> On Fri, Jul 15, 2016 at 3:07 AM, Mohd Zainal Abidin
> >>> <[email protected]> wrote:
> >>>
> >>> Hi,
> >>>
> >>> How to block this kind of attack?
> >>>
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /2014/07/
> >>> HTTP/1.1" 200 70977 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:27 +0800] "GET /2007/05/
> >>> HTTP/1.1" 200 62797 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:33 +0800] "GET /2014/06/
> >>> HTTP/1.1" 200 72461 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:28 +0800] "GET /2006/12/
> >>> HTTP/1.1" 200 65124 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:34 +0800] "GET /2014/05/
> >>> HTTP/1.1" 200 72931 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:34 +0800] "GET /2014/04/
> >>> HTTP/1.1" 200 70848 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /xmlrpc.php?rsd
> >>> HTTP/1.1" 200 866 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:36 +0800] "GET /2014/02/
> >>> HTTP/1.1" 200 69820 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:36 +0800] "GET /2014/01/
> >>> HTTP/1.1" 200 74012 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2013/12/
> >>> HTTP/1.1" 200 74001 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET
> >>> /2007/10/page/2/ HTTP/1.1" 200 63882 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET
> >>> /2008/05/page/2/ HTTP/1.1" 200 63703 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET
> >>> /2008/04/page/2/ HTTP/1.1" 200 64863 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET
> >>> /2008/06/page/2/ HTTP/1.1" 200 64089 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET
> >>> /2007/12/page/2/ HTTP/1.1" 200 63587 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:29 +0800] "GET /2014/12/
> >>> HTTP/1.1" 200 73272 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:31 +0800] "GET /2006/11/
> >>> HTTP/1.1" 200 64642 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:37 +0800] "GET /2013/11/
> >>> HTTP/1.1" 200 68957 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:31 +0800] "GET /2006/09/
> >>> HTTP/1.1" 200 64719 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:38 +0800] "GET
> >>> /2008/01/page/2/ HTTP/1.1" 200 62711 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:38 +0800] "GET /2013/10/
> >>> HTTP/1.1" 200 70712 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET
> >>> /2008/02/page/2/ HTTP/1.1" 200 64719 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET
> >>> /2007/11/page/2/ HTTP/1.1" 200 64808 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2013/09/
> >>> HTTP/1.1" 200 68252 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:32 +0800] "GET /2014/08/
> >>> HTTP/1.1" 200 69468 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:39 +0800] "GET /2013/08/
> >>> HTTP/1.1" 200 67360 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:41 +0800] "GET /2013/07/
> >>> HTTP/1.1" 200 70473 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:41 +0800] "GET /2013/06/
> >>> HTTP/1.1" 200 72604 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:35 +0800] "GET /2014/03/
> >>> HTTP/1.1" 200 68842 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2013/05/
> >>> HTTP/1.1" 200 74481 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET
> >>> /2007/09/page/2/ HTTP/1.1" 200 65605 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET
> >>> /2007/07/page/2/ HTTP/1.1" 200 64613 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET
> >>> /2007/08/page/2/ HTTP/1.1" 200 64851 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET
> >>> /2007/04/page/2/ HTTP/1.1" 200 65041 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET
> >>> /2007/06/page/2/ HTTP/1.1" 200 65219 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET
> >>> /2007/03/page/2/ HTTP/1.1" 200 66625 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:42 +0800] "GET /2013/03/
> >>> HTTP/1.1" 200 69079 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET
> >>> /2007/01/page/2/ HTTP/1.1" 200 65362 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET /2013/02/
> >>> HTTP/1.1" 200 71130 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:43 +0800] "GET
> >>> /2007/02/page/2/ HTTP/1.1" 200 65625 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET
> >>> /2006/10/page/2/ HTTP/1.1" 200 64309 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET /2013/01/
> >>> HTTP/1.1" 200 73073 "-" "Mozilla/4.0 (compatible;)"
> >>> 27.111.213.117 - - [15/Jul/2016:10:03:44 +0800] "GET /2012/12/
> >>> HTTP/1.1" 200 72434 "-" "Mozilla/4.0 (compatible;)"
> >>>
> >>> We getting this kind of attack from different ip last night. Our
> >>> website load goes to 100 and it become slow to response.
> >>>
> >>> --
> >>>
> >>> Thank you
> >>> ______________________
> >>>
> >>> Mohd Zainal Abidin
> >>>
> >>>
> >>
> ------------------------------------------------------------------------------
> >>> What NetFlow Analyzer can do for you? Monitors network bandwidth
> >>> and traffic
> >>> patterns at an interface-level. Reveals which users, apps, and
> >>> protocols are
> >>> consuming the most bandwidth. Provides multi-vendor support for
> >>> NetFlow,
> >>> J-Flow, sFlow and other flows. Make informed decisions using
> >>> capacity planning
> >>> reports.http://sdm.link/zohodev2dev [1]
> >>> _______________________________________________
> >>> Fail2ban-users mailing list
> >>> [email protected]
> >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users [2]
> >>>
> >>> --
> >>>
> >>> ACL
> >> --
> >>
> >> Thank you
> >> ______________________
> >>
> >> Mohd Zainal Abidin
> >>
> >> --
> >>
> >> Thank you
> >> ______________________
> >>
> >> Mohd Zainal Abidin
> >>
> >>
> >> Links:
> >> ------
> >> [1] http://sdm.link/zohodev2dev
> >> [2] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >>
> >>
> ------------------------------------------------------------------------------
> >> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> >> traffic
> >> patterns at an interface-level. Reveals which users, apps, and
> >> protocols are
> >> consuming the most bandwidth. Provides multi-vendor support for
> >> NetFlow,
> >> J-Flow, sFlow and other flows. Make informed decisions using capacity
> >> planning
> >> reports.http://sdm.link/zohodev2dev
> >>
> >> _______________________________________________
> >> Fail2ban-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >
> ------------------------------------------------------------------------------
> > What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> > patterns at an interface-level. Reveals which users, apps, and protocols
> are
> > consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> > J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> > reports.http://sdm.link/zohodev2dev
> > _______________________________________________
> > Fail2ban-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
> >
>
>
>
> ------------------------------------------------------------------------------
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.http://sdm.link/zohodev2dev
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>



-- 
Thank you
______________________

Mohd Zainal Abidin

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev

_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users

Re: [Fail2ban-users] Block Flood Attack

Reply via email to