Re: swamp rat bots Q

To: debian-user@lists.debian.org
Subject: Re: swamp rat bots Q
From: john doe <johndoe65534@mail.com>
Date: Thu, 3 Dec 2020 16:35:49 +0100
Message-id: <[🔎] 54a01209-41d9-2fce-0717-0d3607678c79@mail.com>
In-reply-to: <[🔎] 202012030902.47624.gheskett@shentel.net>
References: <[🔎] 202012030735.27875.gheskett@shentel.net> <[🔎] 8c477ad1-7de5-0c9c-349c-d407d111e589@mail.com> <[🔎] 202012030902.47624.gheskett@shentel.net>

On 12/3/2020 3:02 PM, Gene Heskett wrote:

On Thursday 03 December 2020 08:07:33 john doe wrote:

On 12/3/2020 1:35 PM, Gene Heskett wrote:

I've had it with a certain bot that that ignore my robots.txt and
proceeds to mirror my site, several times a day, burning up my
upload bandwidth. They've moved it to 5 different addresses since
midnight.

I want to nail the door shut on the first attempted access by these
AH's.

Does anyone have a ready made script that can watch my httpd "other"
log, and if a certain name is at the end of the line, grabs the ipv4
src address as arg3 of the line, and applies it to iptables DROP
rules?

Or do I have to invent a new wheel for this?

Basic rules that simplify it somewhat.

1. this is ipv4 only country and not likely to change in the future
decade.

2. the list of offending bot names will probably never go beyond 50,
if that many. 5 would be realistic.

3. the src address in the log is at a fixed offset, obtainable with
the bash MID$ but the dns return will need some acrobatics involving
the bash RIGHT$ function.

4. it should track the number of hits, and after so many in a /24
block, autoswitch to a /16 block in order to keep the rules file
from exploding.


Is that not the same question you asked a while back, I then suggested
'fail2ban' or using ip/nftables own capabilities?

Yes John. But explain to me what fail2ban is sopposed to do?

Its running, but has failed to ban anything no matter what sort of 403's
I return.

Fail2ban has been running here for years, and in just sits there doing
nothing, so if its as great a swiss army knife as others claim it to be,
lets either make it work, or quit recommending it.

I need something I can feed with a tee off the tail output, detect that
it is one of the offending bots by name, and if so, apply its ipv4
address to an iptables DROP rule.

It looks to me like you are making your life way much harder than it
should be.


Fine, now show me how to make fail2ban do something usefull. I just
rebooted because of a drive failure and found it couldn't be found
running by htop, so I started it. Now make it do something usefull if
its so great.


Assuming that I would be able to help you, I have no clue about your
setup nor how fail2ban is configured.

In general, when something does not work the way you want it to, it is
probably misconfigured.

If fail2ban or rate limiting in apache does not work for you have a look
at (1).

You could also use a frontend to iptables to implement hash limit module.


1)
https://poorlydocumented.com/2017/08/understanding-iptables-hashlimit-module/

--
John Doe

Reply to:

References:
- swamp rat bots Q
  - From: Gene Heskett <gheskett@shentel.net>
- Re: swamp rat bots Q
  - From: john doe <johndoe65534@mail.com>
- Re: swamp rat bots Q
  - From: Gene Heskett <gheskett@shentel.net>

Prev by Date: Re: Optimizing a server running Wordpress
Next by Date: Re: Installation instructions.
Previous by thread: Re: swamp rat bots Q
Next by thread: Re: swamp rat bots Q
Index(es):
- Date
- Thread