A rule to block IP's looking for non existant pages

Post Reply
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

A rule to block IP's looking for non existant pages

Post by peterelsner »

We have noticed that in our error log file, there will sometimes be one or two IP addresses that are
hammering the server looking for a particular page on a customers site that no longer exists.

In 2 days, we noticed 3 IP's that have hit the same page and received a 404 error
over 740 thousand times.

Running a query such as:

Code: Select all

cat /usr/local/apache/logs/error_log | awk '{print $8}' | sort | uniq -c | sort -n 
will produce results similar to this:
...

22353 xxx.xxx.x.x]
216689 xx.xxx.xx.xx]
501219 xx.xxx.xx.xxx]

The number on the left is the number of times that IP address on the right (designated by x's) has hit a certain page.

I'm wondering if there is a rule that can be created either csf (or even mod_security) that would look for 404 errors and if the number of 404 errors from a single IP address reaches let's say 1000, it blocks the IP?

I'll also ask the people at gotroot.com to see if they can come up with something.

Thanks.
Peter
expl
Junior Member
Posts: 6
Joined: 04 Jan 2011, 09:38

Re: A rule to block IP's looking for non existant pages

Post by expl »

I would be interested in such a feature, also.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Re: A rule to block IP's looking for non existant pages

Post by chirpy »

That is probably best done using ModSecurity, but I'll look into a bit more.
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

Re: A rule to block IP's looking for non existant pages

Post by peterelsner »

Just read the ChangeLog for 5.20. I see you added LF_APACHE_404 and LF_APACHE_404_PERM

Thank you so very much!!!

That should really help in this type of attack.
peterelsner
Junior Member
Posts: 73
Joined: 16 Nov 2010, 22:49

Re: A rule to block IP's looking for non existant pages

Post by peterelsner »

Chirpy, a small update you may want to make in lfd.pl...

Line 1753 you have this:

&ipblock($perm,"$tip, more than $config{LF_APACHE_404} Apache 404 hits in the last hour",$ip,$ports{mod_security},"in",$config{LF_APACHE_404_PERM},0,"","LF_APACHE_404");

It should be:

&ipblock($perm,"$tip, more than $config{LF_APACHE_404} Apache 404 hits in the last $config{LF_INTERVAL} secs",$ip,$ports{mod_security},"in",$config{LF_APACHE_404_PERM},0,"","LF_APACHE_404");
ForumAdmin
Moderator
Posts: 1523
Joined: 01 Oct 2008, 09:24

Re: A rule to block IP's looking for non existant pages

Post by ForumAdmin »

Thanks, I'll make the change for the next release :)
Post Reply