1

My server is under attack, it is flooded with request with the following pattern:

Thousands of IPs Each IP request the same page "GET / HTTP/1.1" with the same referrer 3-5 times per second (same timestamp).

So what I would need is a small shell script which takes the input from "tail -f /var/www/log/access.log" and parses the same for repeated requests with the same timestamp (say 2 request for the same page with same referrer and same time) and adds a iptable rule to drop all packets from this IP.

Stephane
  • 6,432
  • 3
  • 26
  • 47
Jmaxor
  • 13
  • 5

1 Answers1

2

Have a look at Fail2Ban and at this Howto for an example of filters for Apache log files.

Here's an example that should accomplish what you ask. Please see the manual and adjust to your needs:

/etc/fail2ban/filters.d/apache-attackers.conf

[Definition]
failregex = <HOST> - - [[^]]+] "GET / HTTP/1.1" 200 .* "REFERER"

/etc/fail2ban/local.jail

[DEFAULT]
ignoreip = 127.0.0.1 <an IP you access the system from>

[apache-attackers]
enabled = true
port    = http,https
filter  = apache-attackers
bantime = 86400
logpath = /var/log/httpd/*access_log
maxretry = 5

Enable fail2ban at startup (RHEL/CentOS) and launch it:

chkconfig fail2ban on
service fail2ban start

Note: Tested on RHEL/CentOS, your mileage may vary.

fuero
  • 9,591
  • 1
  • 35
  • 40
  • Referers change all the time, can Fail2Ban handle this ? I am looking over the wiki but it doesnt seems so – Jmaxor May 06 '13 at 14:13
  • @Iain answer has been updated, sorry. – fuero May 06 '13 at 14:17
  • Thank you very much,this seems to help a bit, but now i found a new pattern. Maybe i may ask you again for help to rewrite this [Definition] to catch all IPs which access multiple times the same page at the same timestamp; forgetting all togheter about referer because they also change. Log looks like this: 186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10488 "http://coolsearch37845.com/b/eve/618aef08...... 186.6.65.199 - - [06/May/2013:18:46:21 +0400] "GET / HTTP/1.1" 200 10531 "https://liteapps.mcafee.com....... – Jmaxor May 06 '13 at 14:51
  • @Jmaxor adding an ignoreregex line with something like `"[^"]+(?:-|google|bing|...|your-domains)[^"]+` for the referer field might do the trick. – fuero May 06 '13 at 19:02