|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
November 30th, 2001, 12:45 PM
|
||||
|
||||
blocking ips based on apache logs
I am new to setting up apache, and I was utterly amazed at how many times I saw the the nimba(?) virus was attacking my machine looking for vulnerable M$ IIS.
Anyway, I was wondering if it was feasible to set up a perl script that periodically scanned the apache access/error logs to gather the ips that the attacks came from. Then, it would do what ever it is you do to apache or your file wall to block these certain ip addresses from even wasting apache's time to look for the non existant files. I am sure it would be interesting to make a collection of these ips, but would it be worth it to do something like this? I know it would sure minimize the size of the damn log files! Just curious, Brett
|
|
#2
November 30th, 2001, 01:07 PM
|
|||
|
|||
Worm Registry
|
|
#3
November 30th, 2001, 01:18 PM
|
||||
|
||||
|
The problem hee is that most of the nimda attacks are coming from machines with dynamically assigned IPs (e.g. broadband connected windoze machines).
If you block the IP a nimda attack string comes from, you're going to be blocking all future users of that IP, unless the blocker is intellgently written. Really, what's the big deal about your log files filling up? Are you that strapped for HDD space? A safer way might be to set up a squid proxy that only forwards non-attack string looking requests to your apache server.
|
|
#5
November 30th, 2001, 01:22 PM
|
||||
|
||||
|
Re: Worm Registry
Quote:
That looks pretty cool...I was actually going to play with doing something like that... Brett
|
|
#6
November 30th, 2001, 02:06 PM
|
|||
|
|||
|
Net-Block Owner Notification
I would have to agree with Hero Zzyzzx that actually blocking isn't a great idea.
But there is a nimda-notify script at the Worm Registry that notifies the net-block owner. And as long as this thing (Nimda) has been floating around I think this is the next step toward getting some of these lazy admins to fix their boxes. By pressuring their service providers.
|
|
#7
December 1st, 2001, 06:21 AM
|
|||
|
|||
|
>> I would have to agree with Hero Zzyzzx that actually blocking isn't a great idea
I too agree but with different thinking. Blocking those IPs at packet filtering level (firewall) doesn't help in a long run, as they will continue to waste your bandwidth and perhaps filling up your logs. IMHO, contacting their ISPs and inform them to investigate, perhaps to suspend or terminate those accounts is the only way to fix the problem.
|
|
| Viewing: Dev Shed Forums > System Administration > Apache Development > blocking ips based on apache logs |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
