There are a lot of people trying to crack or spam others’ web sites (in vain)… What they usually do can be categorized into two types: one is trying to post their articles (usually advertisements for drugs and so on) automatically to a lot of forums; the other one is trying to download files that the web masters might put there carelessly (for example, *.mdb, web.zip, etc.).
I don’t care about this too much, unless they keep doing this all the time, which consumes my band width. In order to grab them out and filter their requests out using a firewall, I did the follows:
First, in Apache’s configuration file, filter all these suspecious requests into a separate log file. For example, I am using Apache in Linux, but if someone requests for /forum/post.asp, or /data.mdb, then it’s for sure that they are from crackers or spammers. I put all of these in a file called worm_log (these things used to be from worms…).
Then I wrote a small script to calculate the number of hostile requests:
#!/bin/sh
allIPFile=/tmp/ips.txt
ipListFile=/tmp/ip_list.txt
myTmpFile=/tmp/mytmp.txt
cat worm* | cut -d ' ' -f 1 | sort > $allIPFile
cat $allIPFile | uniq > $ipListFile
lines=`cat $ipListFile`
rm -f $myTmpFile > /dev/null 2>&1
for ip in $lines ; do
n=`grep $ip $allIPFile | wc -l`
echo "$ip: $n" >> $myTmpFile
done
cat $myTmpFile | sort -nr -k 2,2 > spammers.txt
The output is something as follows:
222.73.173.10: 404 58.215.65.183: 355 222.73.173.11: 351 210.83.81.80: 314 121.14.212.82: 140 118.102.26.197: 117 221.231.114.10: 56 221.5.6.198: 48 ...
Now we are very clear about who are the top trouble makers and should be blocked out of the firewall.