[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Ist das ein Angriff auf meinen Apache-Server?

Hey,

kommt drauf an, wie du Angriff definierst. Das ist probing. D. h. ein Bot versucht auf deiner Seite Seiten zu finden die er angreifen kann. 
Mein Vorschlag: je nachdem was für einen Traffic du hast, würde ich ein iptables rate limit vorschlagen. D. h. du begrenzt die Verbindungen die pro X Sekunden möglich sind. Damit bremst du die Bots hart aus und kannst dann blocken.

https://blog.programster.org/rate-limit-requests-with-iptables#:~:text=You%20can%20rate%20limit%20connections,of%20connection%2C%20based%20on%20port.

Ein Fail2Ban für einen 404 finde ich zu hart.

PS: Mit Probing im Internet musst du umgehen können. Wenn du harte regeln gegen Probing einführst, wird du deinen Webserver nur ad absurdum führen.


Mit freundlichem Gruss
Bjoern Meier




Am Mo., 15. Feb. 2021 um 20:05 Uhr schrieb Andreas Tille <andreas@an3as.eu>:
Hallo,

eben habe ich durch puren Zufall mal in meine Apache logs gesehen
und das gefunden:


5.8.10.202 - - [15/Feb/2021:19:48:02 +0100] "GET /a.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:02 +0100] "GET /b.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:02 +0100] "GET /c.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:09 +0100] "GET /x.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
...
5.8.10.202 - - [15/Feb/2021:19:48:09 +0100] "GET /y.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:10 +0100] "GET /z.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:10 +0100] "GET /0.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:10 +0100] "GET /1.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:10 +0100] "GET /2.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:11 +0100] "GET /3.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:11 +0100] "GET /4.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:11 +0100] "GET /5.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:11 +0100] "GET /6.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:11 +0100] "GET /7.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:12 +0100] "GET /8.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:12 +0100] "GET /9.txt HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:12 +0100] "GET /a.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:13 +0100] "GET /b.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:13 +0100] "GET /c.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
...
5.8.10.202 - - [15/Feb/2021:19:48:19 +0100] "GET /x.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:19 +0100] "GET /y.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:19 +0100] "GET /z.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:19 +0100] "GET /0.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:20 +0100] "GET /1.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:20 +0100] "GET /2.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:20 +0100] "GET /3.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:20 +0100] "GET /4.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:21 +0100] "GET /5.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:21 +0100] "GET /6.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:21 +0100] "GET /7.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:21 +0100] "GET /8.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:22 +0100] "GET /9.gz HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:22 +0100] "GET /a.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:22 +0100] "GET /b.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:22 +0100] "GET /c.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
...
5.8.10.202 - - [15/Feb/2021:19:48:27 +0100] "GET /x.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:28 +0100] "GET /y.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:28 +0100] "GET /z.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:28 +0100] "GET /0.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:29 +0100] "GET /1.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:29 +0100] "GET /2.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:29 +0100] "GET /3.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:29 +0100] "GET /4.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:30 +0100] "GET /5.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:30 +0100] "GET /6.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:30 +0100] "GET /7.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:30 +0100] "GET /8.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:30 +0100] "GET /9.tar HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:30 +0100] "GET /a.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:31 +0100] "GET /b.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:31 +0100] "GET /c.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
...
5.8.10.202 - - [15/Feb/2021:19:48:36 +0100] "GET /x.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:36 +0100] "GET /y.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:36 +0100] "GET /z.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:36 +0100] "GET /0.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:37 +0100] "GET /1.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:37 +0100] "GET /2.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:37 +0100] "GET /3.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:37 +0100] "GET /4.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:37 +0100] "GET /5.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:38 +0100] "GET /6.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:38 +0100] "GET /7.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:39 +0100] "GET /8.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:39 +0100] "GET /9.tar.bz2 HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:39 +0100] "GET /a.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:39 +0100] "GET /b.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:39 +0100] "GET /c.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
...
5.8.10.202 - - [15/Feb/2021:19:48:45 +0100] "GET /x.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:45 +0100] "GET /y.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:45 +0100] "GET /z.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:45 +0100] "GET /0.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:46 +0100] "GET /1.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:46 +0100] "GET /2.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:46 +0100] "GET /3.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:47 +0100] "GET /4.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:47 +0100] "GET /5.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:47 +0100] "GET /6.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:47 +0100] "GET /7.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:47 +0100] "GET /8.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:48 +0100] "GET /9.zip HTTP/1.1" 404 455 "-" "Mozilla/5.0"
5.8.10.202 - - [15/Feb/2021:19:48:48 +0100] "GET /xaa HTTP/1.1" 404 455 "-" "Mozilla/5.0"


Ich habe mal nachgesehen, wo die IP herkommt:

    ISP: Petersburg Internet Network


Hat jemand eine Idee, was ein Rechner in Petersburg bei mir für Dateien
herunterladen will?

Viele Grüße
        Andreas.


--
http://fam-tille.de

Reply to: