see orig thread: OFFTOPIC: Svr getting hammered by hackers/IPBan/Upcloud>
I recently got with Jeff and he made me a script to check my Tomcat ports for the assholes.
I wish real life fishing was this easy ... my ban log grows daily with these RDP attempts that it catches out of the box. Its nice!
anyway, here's what he sent me to add into his config file:
<!-- Apache Tomcat failed attempts, Windows -->
<LogFile>
<Source>Apache</Source>
<PathAndMask>
C:/AwareIM/Tomcat/logs/*access_log*.txt
</PathAndMask>
<Recursive>true</Recursive>
<FailedLoginRegex>
<![CDATA[
^(?<ipaddress>.*?)\s.*?(php|cgi-bin).*?\s404\s[0-9]+$
]]>
</FailedLoginRegex>
<PlatformRegex>Windows</PlatformRegex>
<PingInterval>10000</PingInterval>
<MaxFileSize>16777216</MaxFileSize>
</LogFile>
Pretty straightforward. Modify the Path for your naming conventions.
The RegEx finds lines and bans matches.
I DO NOT have any php/cgi-bin activity, so I ban all that - if you do, then you'll have a tougher job.
Since his 1st email, I found more attempts in my log where guys were just hitting the server, not specifically using "php" yet ... like just seeing if there's something out there.
So instead of a 404 error, they were getting 400.
Line 17: 99.240.148.76 - - [15/Mar/2020:09:43:32 -0400] "GET / HTTP/1.1" 400 -
Line 20: 93.65.211.247 - - [15/Mar/2020:11:55:11 -0400] "GET / HTTP/1.1" 400 -
Line 144: 222.186.19.221 - - [15/Mar/2020:15:56:16 -0400] "CONNECT ip.ws.126.net:443 HTTP/1.1" 400 -
Line 169: 52.149.53.107 - - [15/Mar/2020:19:41:39 -0400] "OPTIONS / null" 400 -
I want to also ban anyone where I find a " 400 -"
So here's another modified RegEx to get them:
^(?<ipaddress>.*?)\s.*?((php|md5sum|cgi-bin|joomla).*?\s404\s[0-9]+$|\s400\s-)$
(edited 24-mar)
Jeff says he uses https://regex101.com/ for testing, FYI.
