I spoke to early, Still getting spammed ... Den lördag 24 juni 2017 kl. 22:20:13 UTC+2 skrev Fredrik Hilmersson: > > Thank you! > > Den lördag 24 juni 2017 kl. 21:21:48 UTC+2 skrev dan (ddpbsd): >> >> On Sat, Jun 24, 2017 at 2:08 PM, Fredrik Hilmersson >> <[email protected]> wrote: >> > Hello, >> > >> > so recently I got spammed by this vulnerability scanner. >> > The HEAD is always the same, in regards to the $user_agent, Jorgee >> > >> > ** Alert 1498324205.1278330: - web,accesslog, >> > 2017 Jun 24 17:10:05 (OSSEC AGENT) SRCIP->/var/log/nginx/access.log >> > Rule: 31101 (level 5) -> 'Web server 400 error code.' >> > 213.119.18.4 - - [24/Jun/2017:19:10:05 +0200] HEAD >> > http://SRCIP:80/sql/phpmyadmin2/ HTTP/1.1 404 0 - Mozilla/5.0 Jorgee >> > >> > So i'm wondering if anyone has a good idea or rule how to block/ban >> these >> > attempts? >> > >> > Kind regards, >> > Fredrik >> > >> >> Possibly something like: >> <rule id="999999" level="0"> >> <decoded_as>nginx-errorlog</decoded_as> >> <match> Jorgee$</match> >> <description>Jorgee is loud</description> >> </rule> >> >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
