httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Smith <joshuasm...@scbwi.org>
Subject RE: [users@httpd] Deny <ip address> didn't work
Date Tue, 05 May 2015 18:29:14 GMT
WOW!

I'm definitely a novice at this, but this is quite surprising ...

In my access log, I have several IP's that are requesting the same login
page thousands of times.  See examples below.

Also, none of the requests have a referer or browser in the log record.  I'm
thinking that the lack of browser indicates that a program is submitting the
request, not a person at a browser.  (Let alone the fact that there are 186k
requests in 2 hours would indicate that as well ....)

So now my question is expanding ...

Now I think my site is getting a significant amount of hacking attempts.
But as I said I'm a novice ...

Does this look like I'm being hacked?
Should I add these IP addresses to iptables?

I have installed "fail2ban", but I just left it at the default
configuration.  Do I need to start working with that?

Thanks,
Josh


Examples of login requests ....

37.59.11.6 - - [08/Apr/2015:20:29:03 +0000] "POST /wp-login.php HTTP/1.0"
200 11141 "-" "-"
time span - 21 hrs
count - 76700

173.246.41.63 - - [28/Apr/2015:13:36:38 +0000] "POST /wp-login.php HTTP/1.0"
200 11072 "-" "-"
time span - 7 hrs
count - 17955

74.204.189.179 - - [28/Apr/2015:21:06:30 +0000] "POST /wp-login.php
HTTP/1.0" 200 11178 "-" "-"
time span - 20 hours
count - 125685

5.196.241.194 - - [01/May/2015:22:37:25 +0000] "POST /wp-login.php HTTP/1.0"
200 11324 "-" "-"
time span - 2 hrs
count - 186157

84.19.174.28 - - [01/May/2015:22:12:49 +0000] "POST /wp-login.php HTTP/1.0"
200 10995 "-" "-"
time span - 8 hrs
count - 107285








-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com]
Sent: Tuesday, May 05, 2015 5:15
To: users@httpd.apache.org
Subject: Re: [users@httpd] Deny <ip address> didn't work

On Mon, May 4, 2015 at 7:33 PM, Joshua Smith <joshuasmith@scbwi.org> wrote:
> In both cases, when i monitored my site with the 'server-status'
> module, the ip address was still there, with sometimes more than 30
> requests, and all for the same page, which was ..../login.php.  And it
> continued to be there for the next 30 minutes until it just dropped
> off, but i was doing nothing to stop it at that point.

Both of your rules just change the response for this IP, they don't block it
from sending requests. What does the access log say?

--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message