LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-02-2011, 06:14 AM   #1
markthemark
LQ Newbie
 
Registered: Apr 2011
Posts: 2

Rep: Reputation: 0
Odd entries in Apache error & access logs - looks like some sort of bot


Hi there!

I've been looking over the access logs from Apache, and I keep finding this sort of message:
Quote:
x.x.x.x - - [02/Apr/2011:04:30:52 -0500] "GET HTTP/1.0" 400 299 "-" "-"
This is appearing literally many times a second. The accompanying message in the error log looks like this, again happening many times a second.
Quote:
[Sat Apr 02 04:31:26 2011] [error] [client x.x.x.x] Invalid URI in request GET HTTP/1.0
Now this keeps happening, and every time I see this in the access logs, I just ban the IP using IP tables

Quote:
sudo iptables -A INPUT -s x.x.x.x -j DROP
iptables-save
And that appears to stop the requests.

But then I look again in like a day or whatever, and exactly the same thing is happening, but with a completely different IP. A lookup of these IPs reveals they're from the US (mostly, sometimes they appear to be chinese).

Anyway I've done this process at least 20 times now, and I can't keep doing this manually, it's a pain. And obviously I'm not keen for my server to have to handle these requests every 0.2 seconds...

So, before I write some sort of script monitoring the error log and automatically dropping the IPs with this sort of pattern, is there anything I should know that can explain this sort of behaviour? And is there something that already exists to handle this sort of task?

Thanks!
 
Old 04-02-2011, 06:53 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Try iptables rate limiting, something like :

Code:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
This will prevent clients from connecting more than 4 times a minute but you can tune it according to your baseline traffic pattern

cheers
 
Old 04-02-2011, 12:05 PM   #3
markthemark
LQ Newbie
 
Registered: Apr 2011
Posts: 2

Original Poster
Rep: Reputation: 0
Top, thanks.
 
Old 04-02-2011, 12:32 PM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,215
Blog Entries: 1

Rep: Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067Reputation: 2067
Quote:
So, before I write some sort of script monitoring the error log and automatically dropping the IPs with this sort of pattern, is there anything I should know that can explain this sort of behaviour? And is there something that already exists to handle this sort of task?
This is a usual script kiddies behavior. You can use fail2ban to block such attacks for a period of time

Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
syslog-ng and apache access / error logs - can't seperate jamied66 Linux - Server 7 05-29-2009 10:57 AM
Huge traffic, strange entries in access-logs.. ? jaggy00 Linux - Security 3 09-25-2008 08:58 AM
how to sort output at latest entries without disturbing the previous entries record nabmufti Programming 4 02-12-2008 12:36 AM
Entries in access logs tebucky Linux - Security 7 12-19-2005 01:28 PM
Odd entry in my Apache logs pembo13 Linux - Security 5 08-04-2004 08:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration