As most of you who know me know (*that's* an awkward phrase!), I'm not a programmer. I do, though, like to dabble with shell scripting, since it's one of the funnerest things you can do with *nix.
Our web server has been getting hammered by idiots (the vast majority in China) who are trying out various combinations of URLs on our box, looking for proxy servers. We aren't running any proxy servers. Nonetheless, this hasn't stopped these idiots from trying, sometimes hundreds of times a day, to find proxy servers on our web server. As we detect them in our error logs, we've been blocking them using the firewall. Well, we're not just blocking the specific IPs. Oh no. We're blocking the whole IP range. At this point, we are blocking millions of addresses in China (& Korea), & we're going to keep going. So I wrote this script last night that is called via a cron job that runs close to midnight. It scans our error logs, figures out who's sniffing us for proxies, calculates how many times they've done so, figures out their IP range, & then emails the whole thing to us so we can get to work blocking them the next morning. The email we get looks like this: Bastards sniffing for proxies on our Apache server as of DATE: 2005-08-10 23 60.177.182.48 60.177.0.0 - 60.177.255.255 3 221.197.143.4 221.196.0.0 - 221.198.255.255 2 220.166.165.132 220.166.0.0 - 220.167.127.255 2 218.14.125.206 218.13.0.0 - 218.18.255.255 1 61.55.103.126 61.55.0.0 - 61.55.255.255 1 222.90.173.246 222.90.0.0 - 222.91.255.255 1 221.196.56.157 221.196.0.0 - 221.198.255.255 1 218.66.221.69 218.66.0.0 - 218.67.127.255 1 211.141.78.34 211.141.0.0 - 211.141.79.255 Here's the script. Any thoughts or corrections or improvements appreciated. If you want to use any part of it, have at it. <begin script> # get today's date in this format: Wed Aug 10 today=$(date | cut -c 1-11) # figure out who's been sniffing for proxies on our server # & write the sorted, unique, counted list to a file grep "$today" /var/log/httpd/error_log | grep proxy | cut -d [ -f 4 | cut -d ] -f 1 | cut -c 8-23 | sort | uniq -c | sort -r > /path/to/bastards # convert spaces to _ or otherwise echo won't work (stupid echo) sed 's/ */_/g' /path/to/bastards > /path/to/bastards2 for i in $(cat /path/to/bastards2) do # how many times did each bastard hit us? num_of_hits=$(echo $i | cut -f 2 -d _) # what's the bastard's IP address? ip=$(echo $i | cut -f 3 -d _) # what's the bastard's IP range (so we can block it!) iprange=$(whois $ip | grep inetnum | cut -c 15-60) # print the data on one line & append to file printf "$num_of_hits\t$ip\t\t$iprange\n" >> /path/to/bastards3 done # cleanup mv /path/to/bastards3 /path/to/bastards rm /path/to/bastards2 proxy_sniffers=$(cat /path/to/bastards) # Send email to Bryan Consulting reporting bastards echo -e "Bastards sniffing for proxies on our Apache server as of $today\n\n$proxy_sniffers" | mail -s 'Proxy-sniffing bastards' [EMAIL PROTECTED] </end script> Scott -- R. Scott Granneman [EMAIL PROTECTED] ~ www.granneman.com Full list of publications: http://www.granneman.com/publications My new book on Firefox: Don't Click on the Blue E! Info at: http://www.oreilly.com/catalog/bluee/ Read the Open Source Blog: http://opensource.weblogsinc.com Join GranneNotes! Information at www.granneman.com "Happiness lies not in the mere possession of money; it lies in the joy of achievement, in the thrill of creative effort." ---Franklin Delano Roosevelt, in his inaugural speech, 4 March 1933 _______________________________________________ CWE-LUG mailing list [email protected] http://www.cwelug.org/ http://www.cwelug.org/archives/ http://www.cwelug.org/mailinglist/
