There are a lot of people trying to crack or spam others’ web sites (in vain)… What they usually do can be categorized into two types: one is trying to post their articles (usually advertisements for drugs and so on) automatically to a lot of forums; the other one is trying to download files that the web masters might put there carelessly (for example, *.mdb, web.zip, etc.).
I don’t care about this too much, unless they keep doing this all the time, which consumes my band width. In order to grab them out and filter their requests out using a firewall, I did the follows:
First, in Apache’s configuration file, filter all these suspecious requests into a separate log file. For example, I am using Apache in Linux, but if someone requests for /forum/post.asp, or /data.mdb, then it’s for sure that they are from crackers or spammers. I put all of these in a file called worm_log (these things used to be from worms…).
Then I wrote a small script to calculate the number of hostile requests:
#!/bin/sh allIPFile=/tmp/ips.txt ipListFile=/tmp/ip_list.txt myTmpFile=/tmp/mytmp.txt cat worm* | cut -d ' ' -f 1 | sort > $allIPFile cat $allIPFile | uniq > $ipListFile lines=`cat $ipListFile` rm -f $myTmpFile > /dev/null 2>&1 for ip in $lines ; do n=`grep $ip $allIPFile | wc -l` echo "$ip: $n" >> $myTmpFile done cat $myTmpFile | sort -nr -k 2,2 > spammers.txt
The output is something as follows:
220.127.116.11: 404 18.104.22.168: 355 22.214.171.124: 351 126.96.36.199: 314 188.8.131.52: 140 184.108.40.206: 117 220.127.116.11: 56 18.104.22.168: 48 ...
Now we are very clear about who are the top trouble makers and should be blocked out of the firewall.