Jeff, I've thought the same thing about "FAIL"2ban. We use it at $work and it can block an IP within a couple of seconds. There are other similar packages, but fail2ban is worth a try if you find no other solution.
On Sun, Apr 19, 2020 at 5:48 PM Jeffrey Walton <[email protected]> wrote: > > On Sun, Apr 19, 2020 at 6:38 PM Keith Christian > <[email protected]> wrote: > > > > Try fail2ban, it is an excellent filtering system that blocks IP > > addresses based on what it finds in log files, you'd point fail2ban at > > the web server logs, e.g. Apache logs or whatever http server is on > > your Mediawiki server. > > Thanks Keith. > > It does not look a fail (to me). The 301's are redirects from http to > https. The 200's are successes. > > It seems like Mediawiki should know it is incorrect for someone to > request load.php. The request should be killed in the application. > Mediawiki has the specialized knowledge required to stop the > shenanigans. > > Jeff > > > On Sun, Apr 19, 2020 at 12:51 PM Jeffrey Walton <[email protected]> wrote: > > > > > > Hi Everyone, > > > > > > We see a continuous flow of requests like shown below. We are fairly > > > certain it is a botnet probing for weaknesses or vulnerabilities. The > > > source IP address slowly moves around. It looks like there was a bug > > > in load.php some time ago [1]. > > > > > > I don't have time to manually monitor this. We are looking for one of > > > those wiki plugins to handle it at the application layer. > > > > > > How do we ban the host for making these probes for a day or a week? > > > > > > Thanks in advance. > > > > > > [1] https://www.mediawiki.org/wiki/Topic:Sl0d755pv10sjxl0 > > > > > > 92.32.245.123 - - [19/Apr/2020:14:41:12 -0400] "GET > > > /w/load.php?lang=en&modules=mediawiki.helplink%2Cspecial%2Cui%7Cmediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.special.search.styles%7Cmediawiki.ui.button%2Cinput%7Cmediawiki.widgets.SearchInputWidget.styles%7Cmediawiki.widgets.styles%7Coojs-ui-core.styles%7Coojs-ui.styles.icons-alerts%2Cicons-content%2Cicons-interactions%2Cindicators%2Ctextures%7Cskins.vector.styles&only=styles&skin=vector > > > HTTP/1.1" 200 28580 > > > 92.32.245.123 - - [19/Apr/2020:14:41:13 -0400] "GET > > > /w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Coojs%2Coojs-ui-core%2Coojs-ui-widgets%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccldr%2Clanguage%2CsearchSuggest%2Cutil%2Cwidgets%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%2Cstartup%7Cmediawiki.special.search%7Cmediawiki.widgets.SearchInputWidget%7Coojs-ui.styles.icons-editing-advanced%2Cicons-moderation%2Cicons-movement%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1rf1ap1 > > > HTTP/1.1" 200 144182 > > > 92.32.245.123 - - [19/Apr/2020:14:41:15 -0400] "GET > > > /wiki/Debug_Symbols HTTP/1.1" 200 7733 > > > 92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET > > > /w/load.php?lang=en&modules=mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.skinning.interface%7Cmediawiki.toc.styles%7Cskins.vector.styles&only=styles&skin=vector > > > HTTP/1.1" 200 8880 > > > 92.32.245.123 - - [19/Apr/2020:14:41:16 -0400] "GET > > > /w/load.php?debug=false&lang=en&modules=ext.SmjCDN%7Cjquery%2Csite%7Cjquery.accessKeyLabel%2CcheckboxShiftClick%2Cclient%2Ccookie%2CgetAttrs%2ChighlightText%2Csuggestions%2CtabIndex%2Cthrottle-debounce%7Cmediawiki.RegExp%2CString%2CTitle%2Capi%2Cbase%2Ccookie%2CsearchSuggest%2Ctoc%2Cutil%7Cmediawiki.page.ready%2Cstartup%7Cskins.vector.js%7Cuser.defaults&skin=vector&version=1j07wt1 > > > HTTP/1.1" 200 68744 > > > > > > _______________________________________________ > > > MediaWiki-l mailing list > > > To unsubscribe, go to: > > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
