[TriLUG] help with scripts to iptables drop sources of .to and 408 crap
Mike Fieschko
mike.fieschko at devmike.com
Fri Oct 7 08:53:08 EDT 2005
Good morning,
Looking at the access.log for one of my sites, there's many entries
similar to [newlines added to improve readability]:
85.140.96.13 - - [07/Oct/2005:07:50:21 -0400] "-" 408 - "-" "-"
172.181.197.107 - - [07/Oct/2005:07:50:49 -0400] "-" 408 - "-" "-"
85.140.96.13 - - [07/Oct/2005:07:51:43 -0400] "-" 408 - "-" "-"
172.181.197.107 - - [07/Oct/2005:07:52:16 -0400] "-" 408 - "-" "-"
85.114.64.140 - - [07/Oct/2005:07:52:40 -0400] "GET /blog/index.php
HTTP/1.1" 200 12825 "http://carisoprodol.get.to/" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)"
80.193.21.24 - - [07/Oct/2005:07:53:16 -0400] "GET /blog/index.php
HTTP/1.1" 200 12825 "http://online-hydrocodone.drop.to/" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; Media
Center PC 3.1)"
172.176.195.32 - - [07/Oct/2005:07:55:28 -0400] "GET /blog/index.php
HTTP/1.1" 200 13285 "http://buy-ambien.drop.to/" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
So I made two scripts, one for the .to crap, the other for the 408 crap:
#bin/bash
for i in `tail -100 /var/log/apache/inillotempore.com-access.log.1|awk \
'/\.to\// {print $1}'|sort|uniq`
do
iptables -A INPUT -i eth0 -s $i -j DROP
done
and
#bin/bash
for i in `tail -100 /var/log/apache/inillotempore.com-access.log.1|awk \
'/ 408 -/ {print $1}'|sort|uniq`
do
iptables -A INPUT -i eth0 -s $i -j DROP
done
I added crontab entries to run these every two minutes. I've done
`iptables -L INPUT| grep DROP| tail` a few times, and addresses are
appending to the INPUT chain.
I wanted to use awk to grab the IP when a '408' has a leading
whitespace and a trailing whitespace followed by '-'. Did I do that
correctly?
Any mistakes people would like to point out or comments?
I do realize that any Tonga domains get caught by the first script.
I'll live with that and that `sort -u` would probably accomplish the
same result.
--
Mike Fieschko
Raleigh, NC
http://devmike.com
http://devmike.com/blog
http://inillotempore.com
More information about the TriLUG
mailing list