httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Coby" <>
Subject Re: Re[4]: Blocking requests..
Date Thu, 22 Aug 2002 14:36:56 GMT
> > Another option, albiet a more complicated one, is to use
> > and add a rule to just drop TCP packets from a specific IP address to
> > webserver.
> Sounds like a better idea :). Now I only need to figure out such a
> script.... Any ideas there?

Just so happens that I have a script to grab the ip addresses from an
error_log :)

Usage: cat error_log | getclientip | sort | uniq

You'll have to make your own rules on what should be blacklisted.

-- begin getclientip --
# getclientip
# gets a client's ip address from an Apache error_log

  chomp $_;
  if(!grep(/client/, $_)) {
  #$_ =~ s/.*\[client.*(.*)\].*$/\1/;
  $_ =~ s/.*client\s(\d+\.\d+\.\d+\.\d+).*/\1/;
  print "$_\n";
-- end --

Because a single IP address can trigger several different blockable
offenses, something has to be done to prevent the same IP address from
getting blacklisted multiple times.

I would append the blocked ip addresses to a file, and then sort | uniq
itself back out to make sure it only contains unique addresses.  Then you
can flush your blacklisted ipchains rule(s) and recreate it(them) using the
blacklisted file.

You may also want to ignore dialup addresses, until they appear 3 or more
times.  Wouldn't want to blacklist someone because the previous user had a
worm :)


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message