As I wrote in a previous article, someone is buzzing my server with continuous requests for inexistent resources, just like /browserToolbarGetData?v=2. This could be related with a new ip address i just boght, i don’t know yet but there is no trace of this io address history, so i think i’m the first using it, so io’m prone to belive it is just a remote possibility… anyway let’s tale some countermeasures.
I dn’t want them even to reach my http server, so i setup a fail2ban filter
And i configure this filter to ban all ip addresses whom request match with the following regex:
# Fail2Ban configuration file # # Author: Giuseppe # # $Revision: uhm $ # [Definition] failregex = ^
-.*"(GET|POST).*\browserToolbarGetData.* HTTP\/.*$ ignoreregex =
Then i activate this new filter by adding its definition in the jail.local file, just as follows:
and then at the end of the file, after a blank line, i add this section:
[wordpress-toolbar] enabled = true port = http,https filter = wordpress-toolbar logpath = /var/log/ispconfig/httpd/*/*access.log bantime = 360 findtime = 30 maxretry = 1
Which means that the filter is “enabled”, the filter file is “wordpress-toolbar”, the log(s) file(s) to be kept under surveilance are under “/var/log/ispconfig/httpd/*/*access.log”, the “bantime” (the duration of th eban) is in seconds , the findtime (the range within the filter has to match in order to trigger the action), the max number of retry (maxretry). In this case our maxretry is just 1.
2013-01-02 10:04:04,000 fail2ban.actions: WARNING [wordpress-mapi] Ban 126.96.36.199 2013-01-02 10:04:29,059 fail2ban.actions: WARNING [wordpress-mapi] Ban 188.8.131.52 2013-01-02 10:04:35,098 fail2ban.actions: WARNING [wordpress-mapi] Ban 184.108.40.206 2013-01-02 10:04:59,153 fail2ban.actions: WARNING [wordpress-mapi] Ban 220.127.116.11
That’s all, i hope this helps.
Any comment is appreciated.