On Monday 11 November 2019 08:33:13 Greg Wooledge wrote: > > > > I have a list of ipv4's I want fail2ban to block. > > > > > > Not sure that fail2ban is the best tool for the job. Where you > > > already have a list of IPs that you want to block why not just > > > directly create the iptables rules? > > > > just did that, got most of them but semrush apparently has fallback > > addys to use. But I'm no longer being DDOSed, which was the point. > > Thanks. > > In case it wasn't already clear, what fail2ban does is parse a log > file looking for repeated instances of an invalid login (or whatever). > You have to tell it what to look for, and what to do about it. > > The typical use is with an ssh server, looking for rapid, repeated > login failures. If enough failed logins occur from a single IP, then > it adds a firewall rule to block that IP address. > > Hence "fail 2 ban", i.e. "fail -> ban". > > If you already know the IP addresses/ranges that you want to block, > you don't need fail2ban. > > But once again, I really think you'd be better served by blocking this > particular bot based on user-agent string, assuming it has an easily > identifiable user-agent in your log files. That way, when it changes > its IP address, it'll still be blocked. > > I *know* I told you to look at your log files, and to turn on > user-agent logging if necessary. > > I don't remember seeing you ever *post* your log files here, not even > a single line from a single instance of this bot. Maybe I missed it.
Only one log file seems to have useful data, the "other..." file, and I have posted several single lines here, but here's a few more: coyote.coyote.den:80 40.94.105.9 - - [11/Nov/2019:12:08:53 -0500] "GET /gene/ HTTP/1.1" 200 5141 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" coyote.coyote.den:80 40.94.105.9 - - [11/Nov/2019:12:08:53 -0500] "GET /gene/pix/EasterSundayCropped2004-1.jpg HTTP/1.1" 200 194478 "http://geneslinuxbox.net:6309/gene/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" coyote.coyote.den:80 40.94.105.9 - - [11/Nov/2019:12:08:56 -0500] "GET /favicon.ico HTTP/1.1" 200 1705 "http://geneslinuxbox.net:6309/gene/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" coyote.coyote.den:80 203.133.169.54 - - [11/Nov/2019:12:10:52 -0500] "GET /robots.txt HTTP/1.1" 200 1092 "-" "Mozilla/5.0 (compatible; Daum/4.1; +http://cs.daum.net/faq/15/4118.html?faqId=28966)" coyote.coyote.den:80 203.133.169.54 - - [11/Nov/2019:12:10:53 -0500] "GET /gene/nitros9/level1/d64/modules/sysgo_h0 HTTP/1.1" 200 706 "-" "Mozilla/5.0 (compatible; Daum/4.1; +http://cs.daum.net/faq/15/4118.html?faqId=28966)" coyote.coyote.den:80 203.133.169.54 - - [11/Nov/2019:12:10:58 -0500] "GET /gene/nitros9/level1/coco2b/NOS9_6809_L1_coco2b_cocosdc.dsk HTTP/1.1" 200 4718822 "-" "Mozilla/5.0 (compatible; Daum/4.1; +http://cs.daum.net/faq/15/4118.html?faqId=28966)" coyote.coyote.den:80 203.133.169.54 - - [11/Nov/2019:12:11:21 -0500] "GET /gene/nitros9/level1/coco2_6309/NOS9_6309_L1_coco2_6309_dw_directmodempak.dsk HTTP/1.1" 200 554724 "-" "Mozilla/5.0 (compatible; Daum/4.1; +http://cs.daum.net/faq/15/4118.html?faqId=28966)" coyote.coyote.den:80 203.133.169.54 - - [11/Nov/2019:12:11:29 -0500] "GET /gene/nitros9/level1/dalpha/modules/defsfile HTTP/1.1" 200 248 "-" "Mozilla/5.0 (compatible; Daum/4.1; +http://cs.daum.net/faq/15/4118.html?faqId=28966)" coyote.coyote.den:80 203.133.169.54 - - [11/Nov/2019:12:11:34 -0500] "GET /gene/nitros9/level1/atari/modules/n1_scdwv.dd HTTP/1.1" 200 280 "-" "Mozilla/5.0 (compatible; Daum/4.1; +http://cs.daum.net/faq/15/4118.html?faqId=28966)" coyote.coyote.den:80 203.133.169.54 - - [11/Nov/2019:12:11:39 -0500] "GET /gene/nitros9/level1/coco1_6309/bootfiles/bootfile_covga_cocosdc HTTP/1.1" 200 16133 "-" "Mozilla/5.0 (compatible; Daum/4.1; +http://cs.daum.net/faq/15/4118.html?faqId=28966)" I did ask earlier if daum was a bot but no one answered. They are becoming a mite pesky. Thanks. Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/gene>