Try fail2ban, it is an excellent filtering system that blocks IP addresses based on what it finds in log files, you'd point fail2ban at the web server logs, e.g. Apache logs or whatever http server is on your Mediawiki server.
On Sun, Apr 19, 2020 at 12:51 PM Jeffrey Walton <[email protected]> wrote: > > Hi Everyone, > > We see a continuous flow of requests like shown below. We are fairly > certain it is a botnet probing for weaknesses or vulnerabilities. The > source IP address slowly moves around. It looks like there was a bug > in load.php some time ago [1]. > > I don't have time to manually monitor this. We are looking for one of > those wiki plugins to handle it at the application layer. > > How do we ban the host for making these probes for a day or a week? > > Thanks in advance. > > [1] https://www.mediawiki.org/wiki/Topic:Sl0d755pv10sjxl0 > > 92.32.245.123 - - [19/Apr/2020:14:41:12 -0400] "GET > /w/load.php?lang=en&modules=mediawiki.helplink%2Cspecial%2Cui%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.special.search.styles%7Cmediawiki.ui.button%2Cinput%7Cmediawiki.widgets.SearchInputWidget.styles%7Cmediawiki.widgets.styles%7Coojs-ui-core.styles%7Coojs-ui.styles.icons-alerts%2Cicons-content%2Cicons-interactions%2Cindicators%2Ctextures%7Cskins.vector.styles&only=styles&skin=vector > HTTP/1.1" 200 28580 > 92.32.245.123 - - [19/Apr/2020:14:41:13 -0400] "GET > /w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Coojs%2Coojs-ui-core%2Coojs-ui-widgets%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccldr%2Clanguage%2CsearchSuggest%2Cutil%2Cwidgets%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%2Cstartup%7Cmediawiki.special.search%7Cmediawiki.widgets.SearchInputWidget%7Coojs-ui.styles.icons-editing-advanced%2Cicons-moderation%2Cicons-movement%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1rf1ap1 > HTTP/1.1" 200 144182 > 92.32.245.123 - - [19/Apr/2020:14:41:15 -0400] "GET > /wiki/Debug_Symbols HTTP/1.1" 200 7733 > 92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET > /w/load.php?lang=en&modules=mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.toc.styles%7Cskins.vector.styles&only=styles&skin=vector > HTTP/1.1" 200 8880 > 92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET > /w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2Ccookie%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccookie%2CsearchSuggest%2Ctoc%2Cutil%7Cmediawiki.page.ready%2Cstartup%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1j07wt1 > HTTP/1.1" 200 68744 > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
