From: altendew <andrew@shiftcode.com>
To: linux-kernel@vger.kernel.org
Subject: Re: Server Attack
Date: Sun, 27 Aug 2006 21:38:44 -0700 (PDT) [thread overview]
Message-ID: <6014456.post@talk.nabble.com> (raw)
In-Reply-To: <6014209.post@talk.nabble.com>
This works!!
tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
/signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs -i /sbin/iptables -v -A INPUT
-p tcp -j DROP -s {}
Thanks man I fully understand this query now. You helped me understand this
linux. I just looked up these commands and went along.
altendew wrote:
>
> This does not spit anything out.
>
> I have changed it to this.
>
> tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
> /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p
> tcp -j DROP -s
>
> When I run this
>
> tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
> /signUp.php?ref=ec0lag'|cut '-d ' -f 1
>
> it lists the IPs fine.. when I run
>
> tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
> /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p
> tcp -j DROP -s
>
> It doesnt spit out anything, how do I kno its working.
>
> Chris Largret wrote:
>>
>>
>> I'm going to go ahead and top-post on this (sorry). There has to be a
>> limited number of computers these requests are coming from since the
>> requests are coming over TCP. I'd write a quick script to grab the ip
>> addresses and block them at the firewall level. Maybe something like
>> this:
>>
>> tail -f /var/log/apache/access_log|grep AppleWebKit|cut '-d ' -f 1|xargs
>> /sbin/iptables -A INPUT -p tcp -j DROP -s
>>
>> I haven't tested it (don't have a problem on my current server), but it
>> _should_ follow the Apache requests, grab the IP addresses of users with
>> a UserAgent of AppleWebKit and drop all TCP packets from the IP address
>> until you reset your firewall.
>>
>> ~ Chris Largret
>>
>>
>> On Sun, 27 Aug 2006 14:58:37 -0700 (PDT)
>> altendew <andrew@shiftcode.com> wrote:
>>
>>>
>>> Hi someone is currently sending requests to our server 20x a second.
>>>
>>> Here is what one of the logs look like.
>>>
>>> [CODE]
>>> Host: 84.77.19.46 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US)
>>> AppleWebKit/578.4
>>> (KHTML, like Geco, Safari) OmniWeb/v643.68e=C:
>>>
>>> Host: 82.234.98.65 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US)
>>> AppleWebKit/126.0
>>> (KHTML, like Geco, Safari) OmniWeb/v554.35
>>>
>>> Host: 84.94.31.161 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US)
>>> AppleWebKit/502.6
>>> (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C:
>>>
>>> Host: 81.49.24.92 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US)
>>> AppleWebKit/230.1
>>> (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C:
>>>
>>> Host: 80.129.248.17 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US)
>>> AppleWebKit/243.6
>>> (KHTML, like Geco, Safari) OmniWeb/v846.88
>>>
>>> Host: 87.235.49.194 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.1 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US)
>>> AppleWebKit/430.1
>>> (KHTML, like Geco, Safari) OmniWeb/v145.34
>>>
>>> Host: 125.129.12.61 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US)
>>> AppleWebKit/455.3
>>> (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81
>>>
>>> Host: 66.110.153.47 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US)
>>> AppleWebKit/387.2
>>> (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C:
>>>
>>> Host: 62.2.177.250 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:38 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US)
>>> AppleWebKit/206.1
>>> (KHTML, like Geco, Safari) OmniWeb/v204.07es
>>>
>>> Host: 200.115.226.143 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US)
>>> AppleWebKit/647.0
>>> (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81
>>>
>>> Host: 84.171.125.189 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US)
>>> AppleWebKit/778.0
>>> (KHTML, like Geco, Safari) OmniWeb/v456.03=C:
>>>
>>> Host: 83.242.79.70 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US)
>>> AppleWebKit/537.0
>>> (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C:
>>>
>>> Host: 86.69.194.172 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US)
>>> AppleWebKit/468.2
>>> (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81
>>>
>>> Host: 196.203.176.26 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US)
>>> AppleWebKit/840.3
>>> (KHTML, like Geco, Safari) OmniWeb/v767.50s
>>>
>>> Host: 201.41.241.190 /signUp.php?ref=1945777
>>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.0 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US)
>>> AppleWebKit/742.0
>>> (KHTML, like Geco, Safari) OmniWeb/v715.65C:
>>>
>>> Host: 200.84.144.234 /signUp.php?ref=ec0lag
>>> Http Code: 403 Date: Aug 27 17:44:37 Http Version: HTTP/1.1 Size in
>>> Bytes: -
>>> Referer: -
>>> Agent: Mozilla/5.0
>>> [/CODE]
>>>
>>> We are currently blocking this user through our Apache.
>>>
>>> .htaccess
>>> [CODE]
>>> RewriteEngine On
>>> RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\
>>> Mac\
>>> OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\
>>> OmniWeb/v([0-9]+).([0-9]+)(.+)$
>>> RewriteRule .* - [F]
>>> [/CODE]
>>>
>>> That works fine and is giving the user a 403 (Forbidden), but the
>>> problem is
>>> that half of our Apache processes are from this user.
>>>
>>> Is there a way to block his user agent before he gets to Apache?
>>> Sometimes
>>> this brings our server to a crash.
>>>
>>> Thanks
>>> Andrew
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Server-Attack-tf2174025.html#a6011508
>>> Sent from the linux-kernel forum at Nabble.com.
>>>
>>> -
>>> To unsubscribe from this list: send the line "unsubscribe linux-kernel"
>>> in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>> Please read the FAQ at http://www.tux.org/lkml/
>>
>>
>> --
>> Chris Largret <http://www.largret.com>
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel"
>> in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Server-Attack-tf2174025.html#a6014456
Sent from the linux-kernel forum at Nabble.com.
next prev parent reply other threads:[~2006-08-28 4:38 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-27 21:58 Server Attack altendew
2006-08-28 0:11 ` Chris Largret
2006-08-28 3:58 ` altendew
2006-08-28 4:38 ` altendew [this message]
2006-08-28 4:39 ` [OT] " Willy Tarreau
2006-08-28 5:05 ` altendew
2006-08-28 5:40 ` Willy Tarreau
2006-08-28 9:51 ` Bernd Petrovitsch
2006-08-28 0:14 ` altendew
2006-08-28 2:49 ` Jeffrey V. Merkey
2006-08-28 10:55 ` Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6014456.post@talk.nabble.com \
--to=andrew@shiftcode.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.