How to block DFIND
- Thread starter pruault
- Start date
zEitEr
Super Moderator
Write a script to parse your web server logs and ban IPs with CSF of attackers. That's it.
This is what works for me (using CSF / LDF) [UPDATED 2014.02.26]:
Code:
#!/bin/bash
IP_LIST=`(cat /var/log/httpd/access_log | grep "w00tw00t" | egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | sort | uniq)`
IP_LIST2=`(cat /var/log/httpd/error_log | grep "w00tw00t" | egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | sort | uniq)`
IP_LIST3=`(cat /var/log/httpd/domains/*.log | grep "w00tw00t" | egrep -o '([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | sort | uniq)`
for OUTPUT in $IP_LIST
do
/etc/csf/csf.pl -d $OUTPUT Blocked for w00tw00t scanning main apache log
echo "Blocking IP $OUTPUT"
done
for OUTPUT2 in $IP_LIST2
do
/etc/csf/csf.pl -d $OUTPUT2 Blocked for w00tw00t scanning error log
echo "Blocking IP $OUTPUT2"
done
for OUTPUT3 in $IP_LIST3
do
/etc/csf/csf.pl -d $OUTPUT3 Blocked for w00tw00t scanning domain log
echo "Blocking IP $OUTPUT3"
doneJust run it in cron e.g. every 10 mins. Blocked IP's are listed in CSF/LDF, You can unban IP using CSF/LDF.
Last edited:
Richard G
Verified User
Nice, but I think most of us have to adjust that, because w00t is found in /var/log/error log, not in /var/log/access_log mostly.
zEitEr
Super Moderator
As a start point the script is good, thank you for sharing it.
But here is one thing you would like probably to think over. How much load would it make on your server if to parse a log file of 1-2Gbs and more every 10 minutes? Probably you'd like to run it not so often? Or you would like to parse logs not from the very top of logs file but from position you ended the last time?
But here is one thing you would like probably to think over. How much load would it make on your server if to parse a log file of 1-2Gbs and more every 10 minutes? Probably you'd like to run it not so often? Or you would like to parse logs not from the very top of logs file but from position you ended the last time?
Richard G
Verified User
There is another poblem with the script. Next to the fact that it should ook at error_log, and the point zEitEr mentioned, it's causing emails with errors.
The script is looking at ip's every x minutes (whatever you setup) but is looking at the same logfiles.
So it will detect already blocked ip's and every 10 minutes an email will have contents something like:
Is there a way to adjust the script to not "detect" ip's which were already discovered before?
The script is looking at ip's every x minutes (whatever you setup) but is looking at the same logfiles.
So it will detect already blocked ip's and every 10 minutes an email will have contents something like:
Is there a way to adjust the script to not "detect" ip's which were already discovered before?
zEitEr
Super Moderator
Check results of
before blocking IP.
Something like this:
Though it might work, it might not the best way to do the things...
Code:
csf -g $OUTPUTbefore blocking IP.
Something like this:
Code:
if [ `csf -g $OUTPUT | grep 'No matches found' -c` -eq 0 ]; then
# Here we block IP, as it was not found in IPTABLES
fi;Though it might work, it might not the best way to do the things...
Thanks for tips, we can work together to make it right.
1) CSF won't block same IP again, so there's no need to double check if IP has been previously blocked. CSF also chceck IP syntax before blocking IP.
2) access_log rotate every 7 days and is rather small (gathers non specific domain request). Logs for domains are kept in /var/log/httpd/domains and rotate every 1 day - also are rather small.
3) sincle LDF/CSF cares for keeping blocked ip info and log I put this in cron without any email notification
So performance should'n be an issue. Thanks for error_log tip - script above updated.
1) CSF won't block same IP again, so there's no need to double check if IP has been previously blocked. CSF also chceck IP syntax before blocking IP.
2) access_log rotate every 7 days and is rather small (gathers non specific domain request). Logs for domains are kept in /var/log/httpd/domains and rotate every 1 day - also are rather small.
3) sincle LDF/CSF cares for keeping blocked ip info and log I put this in cron without any email notification
So performance should'n be an issue. Thanks for error_log tip - script above updated.
Last edited:
Richard G
Verified User
1.) It won't block it again, correct. But I like to know when something is blocked and the way it's now (without check), I get an email from CSF every 10 minutes with a statement that the ip is trying to be blocked but is already present in csf.deny. If the check is done, you don't have that result and no mail is send because no old ip is trying to be blocked again.
2.) access_log does not have the w00tw00t entry, that's error_log, so if you check access_log, nothing will be blocked, ad least not on Fedora and Centos machines.
So access_log might be rather small, but that would not be an issue. Which OS do you use that w00tw00t's get logged to access_log? I'm just curious.
P.s. I did not find any w00tw00t in any domain log either.
3.) Me too, but I get the mails from CSF whenever it tries to block an ip. So it will also mail me when this is tried and not done because it already exists. That's why I need the check.
@zEitEr: That might work. But I'm not that good in scripting.
It would be nice if Stars or you could adjust the script so it becomes more like a "copy and past" thing.
Last edited: