You could do something similar to the following (except that what you would
have to change the awk line, and change it to an iptables based script) :
--Begin Script--
#!/bin/sh
#
# Block sites which originate Nimba queries from Apache server
# Apache must be configured with HostnameLookups Off
# Adapted from an earlier script found on one of the Mandrake lists
# Changes by Michael Viron
# Last Update: 2/20/2002
LOGS=/var/log/httpd
# Change IP to reflect yours.
DESTINATION = 192.168.1.1
cd $LOGS
grep '^[0-9]*\.[0-9]*\.[0-9]*\.[0-9]* ' * 2>/dev/null |
awk '/system32\/cmd\.exe/ {sub(/[^:]*:/,"");print $1}' |
sort -u |
while read host
do
if ! fgrep $host /var/tmp/blocked >/dev/null
then
echo $host >>/var/tmp/blocked
/sbin/ipchains -I input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY
echo "-A input -p tcp -s $host/32 -d $DESTINATION 80 -j DENY" >>
/etc/ipchains.add
fi
done
cat /etc/ipchains.add >> /etc/sysconfig/ipchains
/etc/rc.d/init.d/ipchains restart
rm -f /etc/ipchains.add
-- End Script --
At 11:52 AM 8/23/2003 -0400, you wrote:
>On Sat, 2003-08-23 at 10:31, Reuben D. Budiardja wrote:
>
>> Now, since I know the IP, what can I do about this? Please help me with
>> advise.
>>
>Nothing. Don't waste your time. You might exclude this range in
>IPTables. We have some business interests in Thailand but the rest of
>the orient is completely blocked.
>--
>
> Total Quality Management - A Commitment to Excellence
> Email acceptance policy: http://www.TQMcube.com/email_policy.html
>
>
>--
>redhat-list mailing list
>unsubscribe mailto:[EMAIL PROTECTED]
>https://www.redhat.com/mailman/listinfo/redhat-list
>
>
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
