On 08/24/2010 09:33 PM, J and T wrote: > Hello, > > I've been a Shorewall user and supporter for many years and it has been > a great tool. But recently our Web servers have been under attack and I > can figure out how to stop it. The problem is that the attacks are > coming in on port 80 all from different IPs. I'm talking thousands of > requests per hour. I can't find any information on how to stop this kind > of attack. What I'm doing right now is redirecting these from cgi to a > page using mod rewrite, but this isn't stopping all these requests from > being initiated and it's killing our server. Any ideas on what to do? > > 216.109.73.21 - - [24/Aug/2010:19:21:25 -0700] "GET > /cgi-bin/sitesearch.cgi?t=XXXdUwYrtYXXXdU HTTP/1.0" 302 298 > "http://vanhanhphuc.com/"; "Mozilla/5.0 (Windows; U; Windows NT 5.1; > en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9" > 200.43.141.173 - - [24/Aug/2010:19:21:25 -0700] "GET > /cgi-bin/sitesearch.cgi?t=XXXdUwYrtYXXXdU HTTP/1.0" 302 298 > "http://vanhanhphuc.com/"; "Mozilla/5.0 (Windows; U; Windows NT 5.1; > en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9" > 210.13.105.7 - - [24/Aug/2010:19:21:26 -0700] "GET > /cgi-bin/sitesearch.cgi?t=XXXdUwYrtYXXXdU HTTP/1.1" 302 298 > "http://vanhanhphuc.com/"; "Mozilla/5.0 (Windows; U; Windows NT 5.1; > en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9" > > I have verified that there is nothing on the "http://vanhanhphuc.com/"; > page pointing to us (no frames, script or ?). What you will notice is > that all these requests have the same user-agent (millions of them > exactly the same) which leads me to believe this is a worm of some sort. > > Is there anything Shorewall can do to help us? If not, any ideas of what > we can do? > > Thanks in advance, > John > > >
You could try using fail2ban with a regex for "vanhanhphuc" or something. And then once matched, ban the ip address. http://www.fail2ban.org/wiki/index.php/Main_Page Sam ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
