IPTABLES & APACHE

First let me preface I'm new to linux but got tons of experience with
other OS's and stuff.

Here is my question:

I found this error in my apache log the other day. (stripped down the
IP of the offender)

[Sat Apr 30 15:13:38 2005] [error] [client x.x.119.172] Invalid method
in request
\\xff\\xff\\xffNESSUS\\xff1We443\\xe6\\x877B\\xff\ \xff\\xff\\

What it looks like to me is this guy decided to do a scan on one of my
web servers with NESSUS.

Is there script that anybody knows of that I could use to go through
my apache error log and look for things that I define as "hell no
buddy" and add them to a DROP or REJECT list for IPTABLES?

I checked the system and security logs on the system and no entries
were made there. It appears this person was just checking out Apache.

Am I going about this the wrong way? If a seasoned eye has a better
suggestion that would be great. Links and advice are welcomed.

Thanks for your time.

Dude! THanks for your time man!

First "stuff" is short hand for all the other things I know.

I also appreciate you providing me the script you use. Is it possible
to get the other simple script you mentioned?

I would like to test it out on a dev system. Also can you be my
unofficial tech support if I have problems? I'll just post up here if
that is cool with you.

Hey where ever u are this BUDS for u!


On Sun, 8 May 2005 08:40:11 +0200, Davide Bianchi
<davideyeahsure@onlyforfun.net> wrote:

>On 2005-05-08, tupolo@seeko.net <tupolo@seeko.net> wrote:
>> got tons of experience with other OS's and stuff.
>
>"Stuff" doesn't involve Google, doesn't it?
>
>> Is there script that anybody knows of that I could use to go through
>> my apache error log and look for things that I define as "hell no
>> buddy" and add them to a DROP or REJECT list for IPTABLES?
>
>Yes, there are many, I use this:
>
>#!/bin/bash
>rm -f /tmp/todayassholes
>date=`/usr/bin/date +%d/%b`
>/usr/bin/grep "whatyouarelookingofr" /where/is/your/access_log | \
> /usr/bin/grep "$date" | /usr/bin/awk '{print $1}' | \
> /usr/bin/sort | /usr/bin/uniq > /tmp/todayassholes
>cat /tmp/todayassholes >> /list/of/ips/to/block
>/usr/bin/mail -s "Today assholes" youredmailhere < /tmp/todayassholes
>rm -f /tmp/todayassholes
>
>Then I have a simple script that reads the /list/of/ips/to/block and
>add them to my firewall scripts.
>
>Davide

tupolo@seeko.net wrote:

> Dude! THanks for your time man!
>
> First "stuff" is short hand for all the other things I know.

Sure.. but which apparently don't include Google, as Davide already
surmised.

> I also appreciate you providing me the script you use. Is it possible
> to get the other simple script you mentioned?
>
> I would like to test it out on a dev system. Also can you be my
> unofficial tech support if I have problems?

$50 an hour should do it, you want my bank account number ?

> I'll just post up here if that is cool with you.

Well, that is really up to you - USENET is free for all.

> Hey where ever u are this BUDS for u!

You really didn't get the point, did you ?

Not to mention top-posting.

--
J

www.gentoo.org - not just for geeks anymore.

On Sun, 08 May 2005 15:09:12 +0200, Jeroen Geilman wrote:

*SNIP*

> Not to mention top-posting.

LOL!

Mike

--
Remove SPAMSUCKS to reply

(o<
//\ Registered Linux User #188949
V_/_

http://toastytech.com/evil/index.html

"Microsoft isn't evil, they just make really crappy operating systems." -
Linus Torvalds

tupolo@seeko.net wrote:
> First let me preface I'm new to linux but got tons of experience with
> other OS's and stuff.
>
> Here is my question:
>
> I found this error in my apache log the other day. (stripped down
the
> IP of the offender)
>
> [Sat Apr 30 15:13:38 2005] [error] [client x.x.119.172] Invalid
method
> in request
> \\xff\\xff\\xffNESSUS\\xff1We443\\xe6\\x877B\\xff\ \xff\\xff\\
>
> What it looks like to me is this guy decided to do a scan on one of
my
> web servers with NESSUS.
>
> Is there script that anybody knows of that I could use to go through
> my apache error log and look for things that I define as "hell no
> buddy" and add them to a DROP or REJECT list for IPTABLES?


Swatch or logwatch:-

http://freshmeat.net/projects/swatch

http://freshmeat.net/projects/logwatch/