Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news-1.dfn.de!news.dfn.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail From: Sandman Newsgroups: comp.os.linux.security Subject: Re: Blocking client based on HTTP request Date: Fri, 24 May 2013 21:11:26 +0200 Lines: 31 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: individual.net AZxn415x2NikPIgjWMLZYgsypgsnY/2lr8x8GrH38kghpgq2E= X-Orig-Path: mr Cancel-Lock: sha1:O7qlg9nwrBSNWGnErWxkYsZNqH4= User-Agent: MT-NewsWatcher/3.5.2 (Intel Mac OS X) X-Face: $@,Vfa$,)%=Qa7L]y)&oZj_\EiHc}}Af0Bei"4a_%)"c6TQ+P/:53>;PNGuWUmkqyeN-qM65foJ[;T_(k;>]&G\T4Lhm:2 ujye2_,iUJFE;NZn>y;.|-hl7g~bIOF1qG\o, David Hough wrote: > Sandman wrote: > > > So, as my other thread may suggest, I have problems with users flooding > > my server with requests for /wpad.dat > > > > Is there an easy way to use iptables to trigger on those requests and > > then add the IP to a blacklist? > > > Try fail2ban as one possible candidate. > > I've not yet tried to use it but it's on my to-do list. I looked at it earlier, it seems to be a clinet/server (why?) solution to add rules to iptables. I did that myself instead by using a script to parse the last 1000 rows of the httpd log file, find the unique hosts that are requesting the wpad.dat file and thern adding them to a blacklist file, and then add them to an iptable block. The file now contain 4802 unique spamming hosts, and I'm a bit worried about iptables being too burdoned by so many firewall rules. -- Sandman[.net]