Re: fail2ban for apache2
On Mon, Nov 11, 2019 at 12:18:17PM -0500, Gene Heskett wrote:
> Only one log file seems to have useful data, the "other..." file, and I
> have posted several single lines here, but here's a few more:
>
> coyote.coyote.den:80 40.94.105.9 - -
> [11/Nov/2019:12:08:53 -0500] "GET /gene/ HTTP/1.1" 200
> 5141 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"
> coyote.coyote.den:80 40.94.105.9 - -
> [11/Nov/2019:12:08:53 -0500] "GET /gene/pix/EasterSundayCropped2004-1.jpg
> HTTP/1.1" 200 194478 "http://geneslinuxbox.net:6309/gene/" "Mozilla/5.0
> (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/57.0.2987.133 Safari/537.36"
> coyote.coyote.den:80 40.94.105.9 - -
> [11/Nov/2019:12:08:56 -0500] "GET /favicon.ico HTTP/1.1" 200
> 1705 "http://geneslinuxbox.net:6309/gene/" "Mozilla/5.0 (Windows NT
> 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/57.0.2987.133 Safari/537.36"
> coyote.coyote.den:80 203.133.169.54 - -
> [11/Nov/2019:12:10:52 -0500] "GET /robots.txt HTTP/1.1" 200
> 1092 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
> coyote.coyote.den:80 203.133.169.54 - -
> [11/Nov/2019:12:10:53 -0500] "GET /gene/nitros9/level1/d64/modules/sysgo_h0
> HTTP/1.1" 200 706 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
> coyote.coyote.den:80 203.133.169.54 - -
> [11/Nov/2019:12:10:58 -0500] "GET /gene/nitros9/level1/coco2b/NOS9_6809_L1_coco2b_cocosdc.dsk
> HTTP/1.1" 200 4718822 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
> coyote.coyote.den:80 203.133.169.54 - -
> [11/Nov/2019:12:11:21 -0500] "GET /gene/nitros9/level1/coco2_6309/NOS9_6309_L1_coco2_6309_dw_directmodempak.dsk
> HTTP/1.1" 200 554724 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
> coyote.coyote.den:80 203.133.169.54 - -
> [11/Nov/2019:12:11:29 -0500] "GET /gene/nitros9/level1/dalpha/modules/defsfile
> HTTP/1.1" 200 248 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
> coyote.coyote.den:80 203.133.169.54 - -
> [11/Nov/2019:12:11:34 -0500] "GET /gene/nitros9/level1/atari/modules/n1_scdwv.dd
> HTTP/1.1" 200 280 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
> coyote.coyote.den:80 203.133.169.54 - -
> [11/Nov/2019:12:11:39 -0500] "GET /gene/nitros9/level1/coco1_6309/bootfiles/bootfile_covga_cocosdc
> HTTP/1.1" 200 16133 "-" "Mozilla/5.0 (compatible; Daum/4.1;
> +http://cs.daum.net/faq/15/4118.html?faqId=28966)"
>
> I did ask earlier if daum was a bot but no one answered. They are
> becoming a mite pesky.
Well, maybe nobody knows.
I went to daum.net in a web browser, and it looks like it's in an Asian
language. It also looks like it's selling a bunch of stuff (at least,
it's laid out the way a retailer's web page is typically laid out).
I also went to the URL in your log
<http://cs.daum.net/faq/15/4118.html?faqId=28966>. Again, it's in a
language that I can't read, but it's talking about robots.txt and shows
an example of how to block them.
So, yes, it's a bot.
Did you not try either of these steps yourself?
Reply to: