[oclug] Apache anti-abuse

David F. Skoll dfs at roaringpenguin.com
Fri Aug 23 10:16:47 EDT 2002 

On Fri, 23 Aug 2002 rod at giffinscientific.com wrote:

> David, this is interesting and awfully timely too, considering that
> at the moment, I'm with a client who appears to be being attacked by
> Nimda/Code Red 2 or something similar, since Aug 19th.

Hmm.  I've attached a new and improved script.  This script can watch
multiple log files (I have about 10 on my server for virtual hosts)
and you can specify hosts never to block (don't want to block my own
ht://dig search indexer. :-))

Invocation now takes log files on the command line:

watch-apache-abuse access_log_1 access_log_2 ...

Regards,

David.

#!/bin/sh
#
# $Id: watch-apache-abuse,v 1.3 2002/08/23 14:14:04 dfs Exp $
#
# Run this from cron every 5-10 minutes.
#
# Usage:  watch-apache-abuse logfile1 logfile2 ...
#
# Copyright 2002 Roaring Penguin Software Inc.
# This program may be distributed under the terms of the GNU
# General Public License, Version 2.
#
# This script bans hosts which appear to be hitting your web site
# too often.  You need to change the SAMPLE and ABUSE values to
# suit your statistics.  Also, set the NOBLOCK variable as appropriate
# so you don't block yourself while indexing pages for search. :-)
#
# Before running this script, make sure you create the web_abusers_log
# chain, like this:
#
# iptables -N web_abusers_log
# iptables -A web_abusers_log -j LOG --log-prefix "FW: Web Abuser "
# iptables -A web_abusers_log -j DROP

# Sample size
SAMPLE=1000

# Number of samples from same host to be considered abuse
ABUSE=250

# Don't block these hosts!  Surround each host with colons on both sides
NOBLOCK=":127.0.0.1:216.191.236.23:"

# Output firewall file
FWFILE=/root/web-abusers

# Backup firewall file
mv -f $FWFILE $FWFILE.ORIG

cat <<EOF > $FWFILE
#!/bin/sh

/sbin/iptables -F web_abusers > /dev/null 2>&1
EOF


for logfile in $* ; do

    tail -$SAMPLE $logfile | awk '{print $1}' | sort | uniq -c | awk "{if (\$1 > $ABUSE) { print \$0 }}" | while read count host ; do
    # Don't block myself!
	if echo $NOBLOCK | grep ":${host}:" > /dev/null 2>&1 ; then
	    continue
	fi
	fgrep $host $FWFILE.ORIG > /dev/null || echo "`date`: Host $host marked as abusive ($count hits) in $logfile"
	echo "/sbin/iptables -A web_abusers --source $host -j web_abusers_log" >> $FWFILE
    done

done

. $FWFILE

More information about the OCLUG mailing list