Hi there!
I've been looking over the access logs from Apache, and I keep finding this sort of message:
Quote:
x.x.x.x - - [02/Apr/2011:04:30:52 -0500] "GET HTTP/1.0" 400 299 "-" "-"
|
This is appearing literally many times a second. The accompanying message in the error log looks like this, again happening many times a second.
Quote:
[Sat Apr 02 04:31:26 2011] [error] [client x.x.x.x] Invalid URI in request GET HTTP/1.0
|
Now this keeps happening, and every time I see this in the access logs, I just ban the IP using IP tables
Quote:
sudo iptables -A INPUT -s x.x.x.x -j DROP
iptables-save
|
And that appears to stop the requests.
But then I look again in like a day or whatever, and exactly the same thing is happening, but with a completely different IP. A lookup of these IPs reveals they're from the US (mostly, sometimes they appear to be chinese).
Anyway I've done this process at least 20 times now, and I can't keep doing this manually, it's a pain. And obviously I'm not keen for my server to have to handle these requests every 0.2 seconds...
So, before I write some sort of script monitoring the error log and automatically dropping the IPs with this sort of pattern, is there anything I should know that can explain this sort of behaviour? And is there something that already exists to handle this sort of task?
Thanks!