A rule to block IP's looking for non existant pages

[peterelsner]

We have noticed that in our error log file, there will sometimes be one or two IP addresses that are
hammering the server looking for a particular page on a customers site that no longer exists.

In 2 days, we noticed 3 IP's that have hit the same page and received a 404 error
over 740 thousand times.

Running a query such as:

Code: Select all

cat /usr/local/apache/logs/error_log | awk '{print $8}' | sort | uniq -c | sort -n 

will produce results similar to this:
...

22353 xxx.xxx.x.x]
216689 xx.xxx.xx.xx]
501219 xx.xxx.xx.xxx]

The number on the left is the number of times that IP address on the right (designated by x's) has hit a certain page.

I'm wondering if there is a rule that can be created either csf (or even mod_security) that would look for 404 errors and if the number of 404 errors from a single IP address reaches let's say 1000, it blocks the IP?

I'll also ask the people at gotroot.com to see if they can come up with something.

Thanks.
Peter

[expl]

I would be interested in such a feature, also.

[chirpy]

That is probably best done using ModSecurity, but I'll look into a bit more.

[peterelsner]

Just read the ChangeLog for 5.20. I see you added LF_APACHE_404 and LF_APACHE_404_PERM

Thank you so very much!!!

That should really help in this type of attack.

[peterelsner]

Chirpy, a small update you may want to make in lfd.pl...

Line 1753 you have this:

&ipblock($perm,"$tip, more than $config{LF_APACHE_404} Apache 404 hits in the last hour",$ip,$ports{mod_security},"in",$config{LF_APACHE_404_PERM},0,"","LF_APACHE_404");

It should be:

&ipblock($perm,"$tip, more than $config{LF_APACHE_404} Apache 404 hits in the last $config{LF_INTERVAL} secs",$ip,$ports{mod_security},"in",$config{LF_APACHE_404_PERM},0,"","LF_APACHE_404");

[ForumAdmin]

Thanks, I'll make the change for the next release