I got apache load attacks - they are all show a fake user-agent string w/ [simplesite.com ] from thousands of different IP addresses
404 717 "http://simplesite.com" "Mozilla/5.0# badbots.conf
badbotscustom = EmailCollector|NetcraftSurveyAgent|ZoominfoBot| ...
# sample log
103.138.96.242 - - [29/Jan/2021:15:38:41 +0100] "GET /alfa.php HTTP/1.1" 404 717 "http://simplesite.com" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4"
89.46.106.156 - - [29/Jan/2021:09:07:17 +0100] "GET /404.php HTTP/1.1" 404 717 "http://simplesite.com" "Mozilla/5.0 (Windows; U; Wind
ows NT 5.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Doesn’t badbots look at the UA string rather than the referer string?
If so, adding it to the badbots configuration isn’t going to work as you’re hoping, so you’ll need to look at adding a filter for the referer.
1 Like
It seems to be some new 404 or slowloris attack that is being carried out via a botnet, I see thousands of log entries all with a different IP address, the UA string in that case is:
"http://simplesite.com"it’s not carried out by a IP address of that domain name, it is used as a fake UA string.
cluster
January 30, 2021, 10:53am
4
it seems to work … do you think the regex is correctly?
[Definition]
failregex = ^<HOST> -.*\"(GET|POST).*HTTP.*\".+\"http?://(.*\.)?(simplesite\.com).*"$
ignoreregex =Results
=======
Failregex: 5 total
|- #) [# of hits] regular expression
| 1) [5] ^<HOST> -.*\"(GET|POST).*HTTP.*\".+\"http?://(.*\.)?(simplesite\.com).*"$
`-
Lines: 33 lines, 0 ignored, 5 matched, 28 missed
So, just to confirm, you want to ignore (i.e. not block) any requests that have http://simplesite.com as the referer string?
1 Like
I want to block so in that case ignoreregex should be empty, I can already see many simplesite bans in fail2ban.log
1 Like
Sounds like it’s doing what you want then.
1 Like
yep, seems to work …
Chain f2b-simplesite (1 references)
num target prot opt source destination
1 REJECT all -- 158.58.187.212 0.0.0.0/0 reject-with icmp-port-unreachable
2 REJECT all -- 43.229.84.224 0.0.0.0/0 reject-with icmp-port-unreachable
3 REJECT all -- 194.5.188.20 0.0.0.0/0 reject-with icmp-port-unreachable
4 REJECT all -- 41.185.8.143 0.0.0.0/0 reject-with icmp-port-unreachable
5 REJECT all -- 103.227.176.20 0.0.0.0/0 reject-with icmp-port-unreachable
6 REJECT all -- 193.202.110.27 0.0.0.0/0 reject-with icmp-port-unreachable
7 REJECT all -- 95.217.215.188 0.0.0.0/0 reject-with icmp-port-unreachable
8 REJECT all -- 92.118.144.74 0.0.0.0/0 reject-with icmp-port-unreachable
9 REJECT all -- 91.238.160.176 0.0.0.0/0 reject-with icmp-port-unreachable
10 REJECT all -- 81.88.49.10 0.0.0.0/0 reject-with icmp-port-unreachable
11 REJECT all -- 80.90.199.120 0.0.0.0/0 reject-with icmp-port-unreachable
12 REJECT all -- 70.32.23.77 0.0.0.0/0 reject-with icmp-port-unreachable
13 REJECT all -- 69.162.154.7 0.0.0.0/0 reject-with icmp-port-unreachable
14 REJECT all -- 67.205.154.85 0.0.0.0/0 reject-with icmp-port-unreachable
15 REJECT all -- 5.61.27.215 0.0.0.0/0 reject-with icmp-port-unreachable
16 REJECT all -- 216.244.87.58 0.0.0.0/0 reject-with icmp-port-unreachable
17 REJECT all -- 198.71.235.75 0.0.0.0/0 reject-with icmp-port-unreachable
18 REJECT all -- 193.111.153.69 0.0.0.0/0 reject-with icmp-port-unreachable
19 REJECT all -- 185.32.188.146 0.0.0.0/0 reject-with icmp-port-unreachable
20 REJECT all -- 185.154.54.10 0.0.0.0/0 reject-with icmp-port-unreachable
21 RETURN all -- 0.0.0.0/0 0.0.0.0/0
2 Likes
