Well you've done grep on the access_log using wp-comments
tail /var/log/httpd/access_log | grep POST | awk '{print $1}'
This will get you a list of ip's that access the wp-comments to POST page on your blog look at their frequency
You could make a block list from the repeat offenders
tail -c 50000 /var/log/httpd/access_log | grep POST | awk '{print $1}' | sort | uniq -c | sort -n
Check those lowest on the list using whois to establish whether they are CIDR's - that is whether they are proxy server being used by a hacker program to hide behind.
Then add them to your block list using
iptables -A INPUT -s 203.146.129.247 -j DROP
iptables -A OUTPUT -d 203.146.129.247 -j DROP
iptables-save
as before
You can look for other patterns in how different IP's access your site.
Use grep for this. Remember its probable the same machine using different IP's to hide its identity. You can check this by looking at the OS information in the access_log.
It will show the same OS type doing the same thing but using different IP's that are proxys.
The other method would be using the lsof command to list active tcp connections that
shouldnt be there - grab the ip's and then do another whois to find out what they are.
If they are hosts then there is no reason why another host has access your web server and that means they should be blocked otherwise they might just be an isp which means theyre either a genuine visitor listed in the access_log or not. Use nmap to check them out. See what services theyre running and if they warrant being blocked.
No comments:
Post a Comment