4

I'm getting bored by all those muieblackcat's and similar scripts ran on web sites. Can I block an IP address (for example with iptables) automatically, like for a hour or so, as soon as it accesses example.com/muieblackcat?

This is on Linux, with Apache.

Community
  • 1
Simon A. Eugster
  • 157
  • 7

4 Answers4

22

You could, but that would make denial-of-service attacks trivial. All an attacker needs to do is access your site through the same proxy I'm using and hit one of those URLs and then I can't access your site. There are still entire cities that use a web proxy.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
15

See Fail2Ban, it can parse Apache log files too.

Stone
  • 7,011
  • 1
  • 21
  • 33
6

Consider tarpitting these requests instead.

HAProxy (and I assume other HTTP proxies) has the ability to identify 'malicious' scan hits and delay the response (thus temporarily slowing the attack script).

Blocking the response entirely will just have the attack script move along to its next target immediately.

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
Joel K
  • 5,853
  • 2
  • 30
  • 34
2

I would start by using a program to watch the log files; if a particular URL is accessed, it should show up in the Apache logs. You can use SEC to watch for this URL access.

When the URL access happens, then SEC can run an iptables command to block the IP address.

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
Mei
  • 4,590
  • 8
  • 45
  • 53