[Solved] Apache2 access log browserToolbarGetData?v=2

Nagios3 as sentinel for your servers and clientsAs I wrote in a previous article, someone is buzzing my server with continuous requests for inexistent resources, just like /browserToolbarGetData?v=2. This could be related with a new ip address i just boght, i don’t know yet but there is no trace of this io address history, so i think i’m the first using it, so io’m prone to belive it is just a remote possibility… anyway let’s tale some countermeasures.

I dn’t want them even to reach my http server, so i setup a fail2ban filter

nano /etc/fail2ban/filter.d/wordpress-toolbar.conf

And i configure this filter to ban all ip addresses whom request match with the following regex:

# Fail2Ban configuration file
#
# Author: Giuseppe
#
# $Revision: uhm $
#

[Definition]
failregex = ^ -.*"(GET|POST).*\browserToolbarGetData.* HTTP\/.*$
ignoreregex =

Then i activate this new filter by adding its definition in the jail.local file, just as follows:

nano /etc/fail2ban/jail.local

and then at the end of the file, after a blank line, i add this section:

[wordpress-toolbar]
enabled = true
port = http,https
filter = wordpress-toolbar
logpath = /var/log/ispconfig/httpd/*/*access.log
bantime = 360
findtime = 30
maxretry = 1

Which means that the filter is “enabled”, the filter file is “wordpress-toolbar”, the log(s) file(s) to be kept under surveilance are under “/var/log/ispconfig/httpd/*/*access.log”, the “bantime” (the duration of th eban) is in seconds , the findtime (the range within the filter has to match in order to trigger the action), the max number of retry (maxretry). In this case our maxretry is just 1.

et voilà

2013-01-02 10:04:04,000 fail2ban.actions: WARNING [wordpress-mapi] Ban 176.222.154.49
2013-01-02 10:04:29,059 fail2ban.actions: WARNING [wordpress-mapi] Ban 94.180.185.101
2013-01-02 10:04:35,098 fail2ban.actions: WARNING [wordpress-mapi] Ban 31.130.5.94
2013-01-02 10:04:59,153 fail2ban.actions: WARNING [wordpress-mapi] Ban 77.106.240.67

That’s all, i hope this helps.
Any comment is appreciated.

Ciao! 

(Visited 184 times, 1 visits today)

Author: Giuseppe Urso

Giuseppe lives in Haarlem now with his shiny dog, Filippa In 1982 received his first home computer, a Commodore 64, followed by Datasette and a 1541 Floppy Disk Drive. In 1999 he installed his first Linux distro (LRH6). In 2006 he switched to Debian as favourite OS. Giuseppe Urso actively sustains the Free Software Fundation and his founder Richard Mattew Stallman, he speaks to people trying to convince them to join the fight now, and about how important is to use Free Software only. He has a job as Infra Specialist at Hippo Enterprise Java Cms an Open Source Enterprise class Content Management System, one of the coolest company ever, in Amsterdam. He's always ready to install Debian on other people computers for free.

Leave a Reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.