[svlug] someone is hammering my webserver

Alvin Oga alvin at mail.Linux-Consulting.com
Mon Jan 28 13:26:14 PST 2008


hi ya 

> Jeff Shippen wrote:
> 
> looks like it is all from the same IP, which you can block, or even better,
> redirect their request to 127.0.0.1.
> 
> I haven't seen anything like this in my logs (yet)
 
- do report the script kiddie to your isp ...

and if you dont happen to have iptables ...

you can simply deny http connection from httpd.conf
on that particular html tree or all html tree

	<Directory /.../httpd/html.tree1>
	...
	order allow,deny
 	allow from all
	Deny from script-kiddie-ip#  wanna-be-cracker-ip#
	</directory>

- this way doesn't affect anybody else or any other webserver tree

- consider yourself lucky if you only have 1 html bomber

c ya
alvin

> On Jan 28, 2008 10:23 AM, Larry Colen <lrc at red4est.com> wrote:
> 
> > I ran into a problem today when /var was out of space. I've been
> > getting hammered by someone at 83.156.199.176 trying to find every
> > file on my webserver, even trying things that aren't there. They're
> > currently up to half a million hits:
> >
> > red4est:/var/log/apache# grep 83.156.199.176 access.log* | wc
> >  521667 11475308 102207788
> >
> > They seem to be running some sort of dictionary attack on my
> > webserver, then tracking down anything they find, even going so far as
> > to append dates to some of the strings:
> >
> > access.log:83.156.199.176 - - [28/Jan/2008:09:52:08 -0800] "GET
> > /lrc/pix/larry030813/ HTTP/1.1" 404 298 "-" "Mozilla/5.0 (Windows; U;





More information about the svlug mailing list