Re: Server Attack

This works!!

tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
/signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs -i /sbin/iptables -v -A INPUT
-p tcp -j DROP -s {}

Thanks man I fully understand this query now. You helped me understand this
linux. I just looked up these commands and went along.


altendew wrote:
> 
> This does not spit anything out.
> 
> I have changed it to this.
> 
> tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
> /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p
> tcp -j DROP -s
> 
> When I run this
> 
> tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
> /signUp.php?ref=ec0lag'|cut '-d ' -f 1
> 
> it lists the IPs fine.. when I run
> 
> tail -f /usr/local/apache/domlogs/leapcash.com|grep 'GET
> /signUp.php?ref=ec0lag'|cut '-d ' -f 1|xargs /sbin/iptables -A INPUT -p
> tcp -j DROP -s
> 
> It doesnt spit out anything, how do I kno its working.
> 
> Chris Largret wrote:
>> 
>> 
>> I'm going to go ahead and top-post on this (sorry). There has to be a
>> limited number of computers these requests are coming from since the
>> requests are coming over TCP. I'd write a quick script to grab the ip
>> addresses and block them at the firewall level. Maybe something like
>> this:
>> 
>> tail -f /var/log/apache/access_log|grep AppleWebKit|cut '-d ' -f 1|xargs
>> /sbin/iptables -A INPUT -p tcp -j DROP -s
>> 
>> I haven't tested it (don't have a problem on my current server), but it
>> _should_ follow the Apache requests, grab the IP addresses of users with
>> a UserAgent of AppleWebKit and drop all TCP packets from the IP address
>> until you reset your firewall.
>> 
>> ~ Chris Largret
>> 
>> 
>> On Sun, 27 Aug 2006 14:58:37 -0700 (PDT)
>> altendew <[email protected]> wrote:
>> 
>>> 
>>> Hi someone is currently sending requests to our server 20x a second.
>>> 
>>> Here is what one of the logs look like.
>>> 
>>> [CODE]
>>> Host: 84.77.19.46   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; MTQ; PPC Mac OS X; en-US)
>>> AppleWebKit/578.4
>>> (KHTML, like Geco, Safari) OmniWeb/v643.68e=C:  
>>> 
>>> Host: 82.234.98.65   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; CDB; PPC Mac OS X; en-US)
>>> AppleWebKit/126.0
>>> (KHTML, like Geco, Safari) OmniWeb/v554.35  
>>> 
>>> Host: 84.94.31.161   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; TLD; PPC Mac OS X; en-US)
>>> AppleWebKit/502.6
>>> (KHTML, like Geco, Safari) OmniWeb/v401.63ive=C:  
>>> 
>>> Host: 81.49.24.92   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; SZS; PPC Mac OS X; en-US)
>>> AppleWebKit/230.1
>>> (KHTML, like Geco, Safari) OmniWeb/v710.56ive=C:  
>>> 
>>> Host: 80.129.248.17   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; OST; PPC Mac OS X; en-US)
>>> AppleWebKit/243.6
>>> (KHTML, like Geco, Safari) OmniWeb/v846.88  
>>> 
>>> Host: 87.235.49.194   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.1  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; SDD; PPC Mac OS X; en-US)
>>> AppleWebKit/430.1
>>> (KHTML, like Geco, Safari) OmniWeb/v145.34  
>>> 
>>> Host: 125.129.12.61   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; WCG; PPC Mac OS X; en-US)
>>> AppleWebKit/455.3
>>> (KHTML, like Geco, Safari) OmniWeb/v042.84stemDrive=\x81  
>>> 
>>> Host: 66.110.153.47   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; ZAM; PPC Mac OS X; en-US)
>>> AppleWebKit/387.2
>>> (KHTML, like Geco, Safari) OmniWeb/v456.02ve=C:  
>>> 
>>> Host: 62.2.177.250   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:38  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; LMZ; PPC Mac OS X; en-US)
>>> AppleWebKit/206.1
>>> (KHTML, like Geco, Safari) OmniWeb/v204.07es  
>>> 
>>> Host: 200.115.226.143   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; EDE; PPC Mac OS X; en-US)
>>> AppleWebKit/647.0
>>> (KHTML, like Geco, Safari) OmniWeb/v760.47emDrive=C:\x81  
>>> 
>>> Host: 84.171.125.189   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; QHA; PPC Mac OS X; en-US)
>>> AppleWebKit/778.0
>>> (KHTML, like Geco, Safari) OmniWeb/v456.03=C:  
>>> 
>>> Host: 83.242.79.70   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; GFS; PPC Mac OS X; en-US)
>>> AppleWebKit/537.0
>>> (KHTML, like Geco, Safari) OmniWeb/v313.01rive=C:  
>>> 
>>> Host: 86.69.194.172   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; ZCV; PPC Mac OS X; en-US)
>>> AppleWebKit/468.2
>>> (KHTML, like Geco, Safari) OmniWeb/v026.14stemDrive=\x81  
>>> 
>>> Host: 196.203.176.26   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; BXT; PPC Mac OS X; en-US)
>>> AppleWebKit/840.3
>>> (KHTML, like Geco, Safari) OmniWeb/v767.50s  
>>> 
>>> Host: 201.41.241.190   /signUp.php?ref=1945777  
>>>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.0  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0 (Macintosh; TYZ; PPC Mac OS X; en-US)
>>> AppleWebKit/742.0
>>> (KHTML, like Geco, Safari) OmniWeb/v715.65C:  
>>> 
>>> Host: 200.84.144.234   /signUp.php?ref=ec0lag  
>>>   Http Code: 403  Date: Aug 27 17:44:37  Http Version: HTTP/1.1  Size in
>>> Bytes: -  
>>>   Referer: -  
>>>   Agent: Mozilla/5.0  
>>> [/CODE]
>>> 
>>> We are currently blocking this user through our Apache.
>>> 
>>> .htaccess
>>> [CODE]
>>> RewriteEngine On 
>>> RewriteCond %{HTTP_USER_AGENT} ^Mozilla/5\.0\ \(Macintosh;\ (.+)\ PPC\
>>> Mac\
>>> OS\ X;\ en-US\)\ AppleWebKit/(.+)\ \(KHTML,\ like\ Geco,\ Safari\)\
>>> OmniWeb/v([0-9]+).([0-9]+)(.+)$
>>> RewriteRule .* - [F]
>>> [/CODE]
>>> 
>>> That works fine and is giving the user a 403 (Forbidden), but the
>>> problem is
>>> that half of our Apache processes are from this user.
>>> 
>>> Is there a way to block his user agent before he gets to Apache?
>>> Sometimes
>>> this brings our server to a crash.
>>> 
>>> Thanks
>>> Andrew
>>> -- 
>>> View this message in context:
>>> http://www.nabble.com/Server-Attack-tf2174025.html#a6011508
>>> Sent from the linux-kernel forum at Nabble.com.
>>> 
>>> -
>>> To unsubscribe from this list: send the line "unsubscribe linux-kernel"
>>> in
>>> the body of a message to [email protected]
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> Please read the FAQ at  http://www.tux.org/lkml/
>> 
>> 
>> -- 
>> Chris Largret <http://www.largret.com>
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel"
>> in
>> the body of a message to [email protected]
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at  http://www.tux.org/lkml/
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Server-Attack-tf2174025.html#a6014456
Sent from the linux-kernel forum at Nabble.com.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • [OT] Re: Server Attack
    • From: Willy Tarreau <[email protected]>

• References:
  • Server Attack
    • From: altendew <[email protected]>
  • Re: Server Attack
    • From: Chris Largret <[email protected]>
  • Re: Server Attack
    • From: altendew <[email protected]>

• Prev by Date: Linux v2.6.18-rc5
• Next by Date: Re: [PATCH] loop.c: kernel_thread() retval check - 2.6.17.9
• Previous by thread: Re: Server Attack
• Next by thread: [OT] Re: Server Attack
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]