httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Coby" <jc...@listingbook.com>
Subject Re: Re[4]: Blocking requests..
Date Thu, 22 Aug 2002 14:36:56 GMT
> > Another option, albiet a more complicated one, is to use
ipchains/iptables
> > and add a rule to just drop TCP packets from a specific IP address to
your
> > webserver.
>
> Sounds like a better idea :). Now I only need to figure out such a
> script.... Any ideas there?

Just so happens that I have a script to grab the ip addresses from an
error_log :)

Usage: cat error_log | getclientip | sort | uniq

You'll have to make your own rules on what should be blacklisted.

-- begin getclientip --
#!/usr/bin/perl
# getclientip
# gets a client's ip address from an Apache error_log

while(<STDIN>)
{
  chomp $_;
  if(!grep(/client/, $_)) {
    next;
  }
  #$_ =~ s/.*\[client.*(.*)\].*$/\1/;
  $_ =~ s/.*client\s(\d+\.\d+\.\d+\.\d+).*/\1/;
  print "$_\n";
}
-- end --

Because a single IP address can trigger several different blockable
offenses, something has to be done to prevent the same IP address from
getting blacklisted multiple times.

I would append the blocked ip addresses to a file, and then sort | uniq
itself back out to make sure it only contains unique addresses.  Then you
can flush your blacklisted ipchains rule(s) and recreate it(them) using the
blacklisted file.

You may also want to ignore dialup addresses, until they appear 3 or more
times.  Wouldn't want to blacklist someone because the previous user had a
worm :)

-Jacob
http://www.listingbook.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message