This week was interesting. It seems every holiday, I get tons of GETs on my apache2 host from scripts/bots that aren't using a browser.
This Thanksgiving I got 1600 from one such User-Agent in 1 minute and some change.
Code:
54.174.59.53 - - [25/Nov/2015:18:56:37 -0800] "GET /robots.txt HTTP/1.1" 200 664 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 HubSpot Webcrawler"
54.174.55.26 - - [25/Nov/2015:19:00:50 -0800] "GET /favicon.ico HTTP/1.1" 200 1683 "http://www.domain.com/contact-us/privacy" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.116 Safari/537.36 HubSpot Webcrawler"
(since banned directly on 54.174.0.0/15 and using fail2ban's apache-badbots.conf).
I am considering the following:
Code:
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT
Do I want to Insert or Append into my current rules if I consistently put rules into my iptables using
Code:
iptables -I INPUT -s $i -j DROP
Thank you for your time.