[TriLUG] help with scripts to iptables drop sources of .to and 408 crap

Fri, 07 Oct 2005 05:53:35 -0700 

Good morning,

Looking at the access.log for one of my sites, there's many entries
similar to [newlines added to improve readability]:

85.140.96.13 - - [07/Oct/2005:07:50:21 -0400] "-" 408 - "-" "-"

172.181.197.107 - - [07/Oct/2005:07:50:49 -0400] "-" 408 - "-" "-"

85.140.96.13 - - [07/Oct/2005:07:51:43 -0400] "-" 408 - "-" "-"

172.181.197.107 - - [07/Oct/2005:07:52:16 -0400] "-" 408 - "-" "-"

85.114.64.140 - - [07/Oct/2005:07:52:40 -0400] "GET /blog/index.php
HTTP/1.1" 200 12825 "http://carisoprodol.get.to/"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1)" 

80.193.21.24 - - [07/Oct/2005:07:53:16 -0400] "GET /blog/index.php
HTTP/1.1" 200 12825 "http://online-hydrocodone.drop.to/"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; Media
Center PC 3.1)" 

172.176.195.32 - - [07/Oct/2005:07:55:28 -0400] "GET /blog/index.php
HTTP/1.1" 200 13285 "http://buy-ambien.drop.to/"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"

So I made two scripts, one for the .to crap, the other for the 408 crap:

#bin/bash
for i in `tail -100 /var/log/apache/inillotempore.com-access.log.1|awk \
'/\.to\// {print $1}'|sort|uniq` 
do 
iptables -A INPUT -i eth0 -s $i  -j DROP
done

and

#bin/bash
for i in `tail -100 /var/log/apache/inillotempore.com-access.log.1|awk \
'/ 408 -/ {print $1}'|sort|uniq` 
do 
iptables -A INPUT -i eth0 -s $i  -j DROP 
done

I added crontab entries to run these every two minutes.  I've done
`iptables -L INPUT| grep DROP| tail` a few times, and addresses are
appending to the INPUT chain.

I wanted to use awk to grab the IP when a '408' has a leading
whitespace and a trailing whitespace followed by '-'.  Did I do that
correctly?

Any mistakes people would like to point out or comments?

I do realize that any Tonga domains get caught by the first script.
I'll live with that and that `sort -u` would probably accomplish the
same result.

-- 
Mike Fieschko
Raleigh, NC
http://devmike.com
http://devmike.com/blog
http://inillotempore.com
-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

Reply via email to