Re: swamp rat bots Q

[john doe <johndoe65534@mail.com>]

On 12/4/2020 7:03 AM, Andy Smith wrote:
> Hello,
>
> On Fri, Dec 04, 2020 at 12:03:57AM -0500, Gene Heskett wrote:
> > what file do I edit to add todays
> > /var/log/httpd/other_vhosts_access.log to its list of logs to
> > watch.  That's the log file with the real data in it today.  And
> > does it need enabled in another, different file.
>
> Again we have been down this avenue before, but I will try one last
> time.
>
> It seems quite likely that the bot you have a problem with has the
> same user agent string, or a very small variation on the same
> string. If so then you can block it just with Apache.
>
> So, can you show us a few lines of logs from your
> /var/log/httpd/other_vhosts_access.log of the accesses from the
> offending bot(s)?

That is, increase your log verbosity (1) and and give us part of the
relevent lines.

Also if fail2ban is not working turn it off and other stuff that you
have put inplace to block those attacks, so we have something clean to
work with, apache is your first line of defence here.

1)  https://httpd.apache.org/docs/2.4/mod/core.html#loglevel

--
John Doe