edliner.blogg.se - Apache log grep unique ip

#Apache log grep unique ip install#

This regular expression is quite simple but you should understand that not all matches are technically valid IP addresses. So, please be aware, that this jail only protects you from some kind of DoS attack that targets a large amount of non-existing URLs/pathes, which is mostly the case for malicious vulnerability scans. Parse a file and print all expressions that match a range between 0.0.0.0 and 999.999.999.999. It will ignore any failing GET /robots.txt requests (as most bots request this) and it will not care about "sane" HTTP status codes like 200 (OK), 301 (Moved Permanently), 302 (Found). For our use case, I have created a regex101 with some sample log lines which you can play around with. You might want to tune the failregex to your needs. If this regex matches, the line is ignored. The tag "" # can be used for standard IP/hostname matching and is only an alias for # (?:::f:)?(?P+) # Values: TEXT failregex = ^. # The host must be matched by a group named "host". We're going to scan all customer Apache access.log logfiles which are in a slightly tuned (non-standard) combined log format:įilter.d/nf # Fail2Ban filter to scan Apache access.log for DoS attacks before = nf # Option: failregex # Notes.: regex to match GET requests in the logfile resulting in one of the # following status codes: 401, 403, 404, 503.

Ban the attackers IP if there are more than 300 GET requests during a time span of 5 mins resulting in HTTP non-200 (OK) status codes: 401, 403, 404, 503.

#Apache log grep unique ip install#

Install fail2ban to protect your site from DOS attacks.

Using fail2ban to mitigate simple DOS attacks against apache (or why I am a terrible sysop).

There are other good articles about setting up such Fail2Ban jails to block simple DoS, but they didn't quite fit our needs: It's a very basic Fail2Ban jail that should cover common attacks and should not cause any false positives as it is only getting triggered by a large amount of failed GET requests. But this DoS attack had hundreds of customer sites as target and did not get trapped by our existing rules.Īfter having blocked the attacker's IP (glad this was no large-scale DDoS!), I wrote an extra Fail2Ban jail which traps such simple DoS attacks. We already had common brute-force attack patterns on Wordpress covered by a custom Fail2Ban jail, which mainly trapped POST requests to xmlrpc.php or wp-login.php (the usual dumb WP brute-force attacks.). The attacker started a larger vulnerability scan against common Wordpress security issues. Recently, one of our shared hosting webservers at Onlime GmbH got hit by a DoS attack.