You're looking for fail2ban, a program which combines active log-monitoring with IP blacklisting and other response measures. You can configure it so that after "X" 404s from a single client, that client gets their IP blacklisted for Y hours.
On Tue, Dec 13, 2011 at 9:34 AM, Jeffrey Moncrieff <[email protected]> wrote: > > > Hello > > I have am host a couple of virtual web servers at home. The sites are not > that busy. But I am seeing a lot of 404 errors and this morning I was > checking my daily logwatch report and I spotted some weird in the logs > > A total of 2 sites probed the server > 122.255.96.164 > 85.88.195.35 > > A total of 3 possible successful probes were detected (the following URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > /?file=../../../../../../proc/self/environ%00 HTTP Response 200 > /?mod=../../../../../../proc/self/environ%00 HTTP Response 200 > /?page=../../../../../../proc/self/environ%00 HTTP Response 200 > > I have since blocked those ip with iptables. But now I want to know if there > is a script that I can run that automatically block suspected malicious ip's > or do I just have baby sit the server and keep a closer eye on the logs. > > > Jeff > > Jeffrey Dean Moncrieff > Moncrieff consulting IT > Vancouver/Ottawa > Cell (613)298-6493 > [email protected] > _______________________________________________ > Linux mailing list > [email protected] > http://oclug.on.ca/mailman/listinfo/linux -- Evil will always triumph, because good is dumb _______________________________________________ Linux mailing list [email protected] http://oclug.on.ca/mailman/listinfo/linux
