Grab the Internet Trouble Makers!

There are a lot of people trying to crack or spam others’ web sites (in vain)… What they usually do can be categorized into two types: one is trying to post their articles (usually advertisements for drugs and so on) automatically to a lot of forums; the other one is trying to download files that the web masters might put there carelessly (for example, *.mdb, web.zip, etc.).

I don’t care about this too much, unless they keep doing this all the time, which consumes my band width. In order to grab them out and filter their requests out using a firewall, I did the follows:

First, in Apache’s configuration file, filter all these suspecious requests into a separate log file. For example, I am using Apache in Linux, but if someone requests for /forum/post.asp, or /data.mdb, then it’s for sure that they are from crackers or spammers. I put all of these in a file called worm_log (these things used to be from worms…).

Then I wrote a small script to calculate the number of hostile requests:

#!/bin/sh

allIPFile=/tmp/ips.txt
ipListFile=/tmp/ip_list.txt

myTmpFile=/tmp/mytmp.txt

cat worm* | cut -d ' ' -f 1 | sort > $allIPFile

cat $allIPFile | uniq > $ipListFile

lines=`cat $ipListFile`

rm -f $myTmpFile > /dev/null 2>&1

for ip in $lines ; do
        n=`grep $ip $allIPFile | wc -l`
        echo "$ip: $n" >> $myTmpFile
done

cat $myTmpFile | sort -nr -k 2,2 > spammers.txt

The output is something as follows:

222.73.173.10: 404
58.215.65.183: 355
222.73.173.11: 351
210.83.81.80: 314
121.14.212.82: 140
118.102.26.197: 117
221.231.114.10: 56
221.5.6.198: 48
...

Now we are very clear about who are the top trouble makers and should be blocked out of the firewall.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*