Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Access_log parsing and blocking ip

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Access_log parsing and blocking ip
# 1  
Old 08-27-2014
Access_log parsing and blocking ip
Hello, my website under http get attack.

When i check the access_log i can see like this.

Code:
xx.xxx.xxx.xxx - - [27/Aug/2014:22:39:47 +0300] "GET //wp-admin/blabla/test.php?jASHSSAsgaGSAgsASGIGIG HTTP/1.1" 200 0 "-" "-"
xxx.xxx.x.xx - - [27/Aug/2014:22:39:47 +0300] "GET //wp-admin/blabla/test.php?jASHSSAsgaGSAgsASGIGIG HTTP/1.1" 200 0 "-" "-"

Normal request is starting with "GET /" attack request starting with "GET //"

i want to create a script for watching this request and if request have, banning requester ip address via csf.

Could you please help me anyone, how can i do that ?

and other request type like this, request starting with ?

Code:
**.***.***.** - - [27/Aug/2014:19:35:25 +0300] "GET /?hAeLxdy2 HTTP/1.1"

Thank you.
Last edited by bartus11; 08-27-2014 at 07:28 PM.. Reason: Please use [code][/code] tags.
# 2  
Old 08-28-2014
Try:

Code:
awk '
  /"GET \/\// || /"GET \/\?/ {BL[$1]}
  END{for (ip in BL) print "csf --deny ip " ip }' access_log > ban_ips
if [ -s ban_ips ]
then
    chmod +x ban_ips
    ./ban_ips
fi

Last edited by Chubler_XL; 08-28-2014 at 05:01 PM..
# 3  
Old 09-02-2014
Hello, thank you for your help, it's working well. But have same problem. Attackers is making attack to POST /wp-config.php? and xmlrpc.com? how can add a rue for this request ? thank you.
# 4  
Old 09-02-2014
You can add as many patterns (in / / ) as you like they have || in-between. Also note that all / characters must be escaped with \

So to and "POST /wp-config.php and "POST /xmlrpc.com we add the text in red below:

Code:
awk '
  /"GET \/\// || /"GET \/\?/ || /"POST \/wp-config.php/ || /"POST \/xmlrpc.com/ {BL[$1]}
  END{for (ip in BL) print "csf --deny ip " ip }' access_log > ban_ips
if [ -s ban_ips ]
then
    chmod +x ban_ips
    ./ban_ips
fi

Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Programming

Which are blocking and non-blocking api's in sockets in C ?

among the below socket programming api's, please let me know which are blocking and non-blocking. socket accept bind listen write read close (2 Replies)
Discussion started by: VSSajjan
2 Replies

2. Linux

Finding IP info from access_log file

I found the /var/www/logs/access_log file (access log in order to find specific information about IP, And when users last logged in.) but in my fedora the access_log file is is in my /var/log/cups and it looks different from what it should be. Why is that? my goal is to get a list of IP... (4 Replies)
Discussion started by: bugenhagen_
4 Replies

3. UNIX for Advanced & Expert Users

ps blocking

Hi Folks I have been debugging a script that is called every thirty seconds. Basically it is doing a ps, well two actually, one to file (read by the getline below) and the other into a pipe. The one into the pipe is: - V_SYSVPS=/usr/sysv/bin/ps $V_SYSVPS -p$PIDLIST -o$PSARGS... (0 Replies)
Discussion started by: steadyonabix
0 Replies

4. Web Development

Include CFTOKEN and CFID in apache access_log

hi folks, how to write CFID and CFTOKEN cookie in apache logs ? can you give me a link or howtos in doing this. thanks in advance (0 Replies)
Discussion started by: linuxgeek
0 Replies

5. Solaris

how to grep or egrep pattern of apache access_log file

Hi I need to look for the range dates of access_log for example: between 02/May/2009:14:56:20 and 05/May/2009:18:46:06 then write the content to another file. Date and time is very important for me to concatenate them into access_log later. Thanks (2 Replies)
Discussion started by: lamoul
2 Replies

6. Shell Programming and Scripting

Parsing of file for Report Generation (String parsing and splitting)

Hey guys, I have this file generated by me... i want to create some HTML output from it. The problem is that i am really confused about how do I go about reading the file. The file is in the following format: TID1 Name1 ATime=xx AResult=yyy AExpected=yyy BTime=xx BResult=yyy... (8 Replies)
Discussion started by: umar.shaikh
8 Replies

7. Shell Programming and Scripting

Perl parsing compared to Ksh parsing

#! /usr/local/bin/perl -w $ip = "$ARGV"; $rw = "$ARGV"; $snmpg = "/usr/local/bin/snmpbulkget -v2c -Cn1 -Cn2 -Os -c $rw"; $snmpw = "/usr/local/bin/snmpwalk -Os -c $rw"; $syst=`$snmpg $ip system sysName sysObjectID`; sysDescr.0 = STRING: Cisco Internetwork Operating System Software... (1 Reply)
Discussion started by: popeye
1 Replies

8. UNIX for Dummies Questions & Answers

Deleting access_log.processed in crontab

Hi, I've worked out that my server was getting clogged with the access_log.processed file. I deleted it using the command > /var/www/vhosts/domain.com/statistics/logs/access_log.processed I also set that up as a crontab job for every Wednesday. What I was wondering is the version using... (4 Replies)
Discussion started by: chickenhouse
4 Replies

9. UNIX for Dummies Questions & Answers

mail access_log

i am trying to figure a way to email my access_log twice a month to myself right before the system zeros it. using crontab is the way to go, but the command to get mail to do the job is my problem. #------------------------------------------- #0-59 0-23 1-31 1-12 0-6 (0=Sunday) #min hour... (3 Replies)
Discussion started by: dayglow
3 Replies

10. Cybersecurity

/var/log/httpd/access_log

Yesterday I happened to check /var/log/httpd/access_log and found some funny things like these, 209.127.62.159 - - "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 209.127.62.159 - - "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 209.127.62.159 - - "GET /c/winnt/system32/cmd.exe?/c+dir... (3 Replies)
Discussion started by: eddie
3 Replies
Login or Register to Ask a Question