@Nonegrata

Атака на web-сервер apache2?

Доброго времени суток!
Сегодня обнаружил (ddos?) (атаку?) на мой web-сервер. Хрень какая то сыпиться и сыпиться Установил fail2ban но не смог настроить regexp, помогите пожалуйста с выражением или может еще есть какой-нибудь выход? Предполагаю, что нужно блокировать на Baiduspider/2.0; . Спасибо
155.94.65.53 - - [07/Feb/2017:17:44:41 +0900] "GET http://p.ato.mx/placement?v=9&id=258152&size=300x250&type=javascript&b=0&domain=www.foxiauto.com&screen=1024x768x24&timezone=480&cookies=1&flash=1&r= HTTP/1.0" 404 496 "http://www.foxiauto.com/category/auto-shows/page/2/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
58.221.55.199 - - [07/Feb/2017:17:44:41 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
178.62.172.18 - - [07/Feb/2017:17:44:41 +0900] "GET http://www.google.fr/search?oe=utf-8&pws=0&complete=0&hl=fr&num=100&q=cravate+fait+en+france HTTP/1.1" 404 442 "-" "-"
58.221.55.199 - - [07/Feb/2017:17:44:42 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
86.221.129.63 - - [07/Feb/2017:17:44:42 +0900] "GET http://www.spot-bourse.com/VALUECLICK.php HTTP/1.1" 404 456 "http://www.spot-bourse.com/BAN.php" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
59.126.2.116 - - [07/Feb/2017:17:44:42 +0900] "GET http://www.rakuten.com.tw/shop/yueerle/product/4716777996816/ HTTP/1.1" 404 476 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)"
138.201.19.161 - - [07/Feb/2017:17:44:42 +0900] "GET http://www.bet365.com/home/inplayapi/Sportsbook.asp?lid=1&zid=9&pd=%23AC%23B1%23C1%23D13%23E29765035%23F2%23R1%23&wg=0&cid=31&cg=0 HTTP/1.1" 404 522 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/8.0.763.89 Safari/537.36"
58.221.55.199 - - [07/Feb/2017:17:44:43 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
58.221.55.199 - - [07/Feb/2017:17:44:44 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
58.221.55.199 - - [07/Feb/2017:17:44:45 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
58.221.55.199 - - [07/Feb/2017:17:44:46 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
172.82.190.245 - - [07/Feb/2017:17:44:46 +0900] "GET http://baigemed.com/ HTTP/1.1" 200 631 "-" "BaiduSpider"
138.201.36.205 - - [07/Feb/2017:17:44:46 +0900] "CONNECT graph.facebook.com:443 HTTP/1.1" 405 518 "-" "-"
138.201.36.205 - - [07/Feb/2017:17:44:47 +0900] "CONNECT graph.facebook.com:443 HTTP/1.1" 405 518 "-" "-"
58.221.55.199 - - [07/Feb/2017:17:44:47 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
31.43.140.238 - - [07/Feb/2017:17:44:47 +0900] "GET http://www.apple.com/ HTTP/1.1" 200 489 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"
58.221.55.199 - - [07/Feb/2017:17:44:48 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
43.241.217.243 - - [07/Feb/2017:17:44:49 +0900] "CONNECT kyfw.12306.cn:443 HTTP/1.1" 405 513 "-" "-"
43.241.217.171 - - [07/Feb/2017:17:44:49 +0900] "CONNECT kyfw.12306.cn:443 HTTP/1.1" 405 513 "-" "-"
104.156.238.102 - - [07/Feb/2017:17:44:49 +0900] "GET http://xxo1024.com/forum.php HTTP/1.1" 404 443 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
58.221.55.199 - - [07/Feb/2017:17:44:49 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
139.219.224.20 - - [07/Feb/2017:17:44:50 +0900] "CONNECT 61.130.29.173:84 HTTP/1.1" 405 512 "-" "-"
58.221.55.199 - - [07/Feb/2017:17:44:50 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
108.49.129.8 - - [07/Feb/2017:17:44:50 +0900] "CONNECT api.roblox.com:443 HTTP/1.0" 405 533 "-" "-"
23.239.65.132 - - [07/Feb/2017:17:44:51 +0900] "GET http://tag.contextweb.com/TagPublish/getjs.aspx?action=VIEWAD&cwrun=200&cwadformat=300X250&cwpid=544411&cwwidth=300&cwheight=250&cwpnet=1&cwtagid=144571 HTTP/1.0" 404 518 "http://www.youdagames.com/en/pc-download-games/simulation-and-strategy/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36"
95.153.108.216 - - [07/Feb/2017:17:44:52 +0900] "CONNECT static.90.170.46.78.clients.your-server.de:80 HTTP/1.1" 405 541 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
58.221.55.199 - - [07/Feb/2017:17:44:52 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
95.153.108.216 - - [07/Feb/2017:17:44:52 +0900] "CONNECT freeproxies.mooo.com:80 HTTP/1.1" 405 519 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
95.153.108.216 - - [07/Feb/2017:17:44:52 +0900] "CONNECT www.freeproxies.ga:80 HTTP/1.1" 405 517 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
95.153.108.216 - - [07/Feb/2017:17:44:52 +0900] "CONNECT web1.strangled.net:80 HTTP/1.1" 405 517 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
95.153.108.216 - - [07/Feb/2017:17:44:53 +0900] "GET http://static.166.82.76.144.clients.your-server.de/myipha.php?rnd=8c56a83cf76454b715bff3fb3f4ba7ff&rn=915801847 HTTP/1.1" 404 476 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
123.240.17.157 - - [07/Feb/2017:17:44:53 +0900] "GET http://azenv.net/ HTTP/1.1" 200 470 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
58.221.55.199 - - [07/Feb/2017:17:44:53 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
58.221.55.199 - - [07/Feb/2017:17:44:55 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
176.122.226.23 - - [07/Feb/2017:17:44:55 +0900] "GET http://chek.zennolab.com/proxy.php HTTP/1.1" 404 468 "RefererString" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"
58.221.55.199 - - [07/Feb/2017:17:44:57 +0900] "GET http://showibo.com/ HTTP/1.1" 200 631 "http://www.baidu.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
59.126.2.116 - - [07/Feb/2017:17:44:58 +0900] "GET http://search.rakuten.com.tw/?nn=0&al=0&vm=2&p=1&si=3133&sm=3&kt=0&sf=1 HTTP/1.1" 200 470 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)"
  • Вопрос задан
  • 384 просмотра
Пригласить эксперта
Ответы на вопрос 1
@ioannes
Это же чужие хосты лезут?
Я бы сделал так, избавился сначала от чужого траффика:

# cat /etc/apache2/sites-enabled/000-default.conf

# Сайт по умолчанию
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName localhost

        DocumentRoot /var/www/html
        <Directory /var/www/html>
                Require all granted
                AllowOverride None
        </Directory>

        LogLevel emerg
        ErrorLog ${APACHE_LOG_DIR}/default.err
        CustomLog ${APACHE_LOG_DIR}/default.log combined
</VirtualHost>


И из лога default.log выдергивать все IP и банить их в fail2ban.

А после этого по результатам.
Ответ написан
Комментировать
Ваш ответ на вопрос

Войдите, чтобы написать ответ

Войти через центр авторизации
Похожие вопросы