If you have questions or if you want to share your opinion about Aware IM post your message on this forum
#53562 by Jaymer
Mon Mar 23, 2020 9:07 pm
see orig thread: https://www.awareim.com/forum/viewtopic.php?f=1&t=10308

I recently got with Jeff and he made me a script to check my Tomcat ports for the assholes.

I wish real life fishing was this easy ... my ban log grows daily with these RDP attempts that it catches out of the box. Its nice!

anyway, here's what he sent me to add into his config file:
Code: Select all      <!-- Apache Tomcat failed attempts, Windows -->
      <LogFile>

        <Source>Apache</Source>
        <PathAndMask>
           C:/AwareIM/Tomcat/logs/*access_log*.txt
        </PathAndMask>
        <Recursive>true</Recursive>

        <FailedLoginRegex>
          <![CDATA[
            ^(?<ipaddress>.*?)\s.*?(php|cgi-bin).*?\s404\s[0-9]+$
          ]]>
        </FailedLoginRegex>

        <PlatformRegex>Windows</PlatformRegex>
        <PingInterval>10000</PingInterval>
        <MaxFileSize>16777216</MaxFileSize>

      </LogFile>


Pretty straightforward. Modify the Path for your naming conventions.
The RegEx finds lines and bans matches.
I DO NOT have any php/cgi-bin activity, so I ban all that - if you do, then you'll have a tougher job.

Since his 1st email, I found more attempts in my log where guys were just hitting the server, not specifically using "php" yet ... like just seeing if there's something out there.
So instead of a 404 error, they were getting 400.

Code: Select allLine 17: 99.240.148.76 - - [15/Mar/2020:09:43:32 -0400] "GET / HTTP/1.1" 400 -
Line 20: 93.65.211.247 - - [15/Mar/2020:11:55:11 -0400] "GET / HTTP/1.1" 400 -
Line 144: 222.186.19.221 - - [15/Mar/2020:15:56:16 -0400] "CONNECT ip.ws.126.net:443 HTTP/1.1" 400 -
Line 169: 52.149.53.107 - - [15/Mar/2020:19:41:39 -0400] "OPTIONS / null" 400 -


I want to also ban anyone where I find a " 400 -"
So here's another modified RegEx to get them:
Code: Select all^(?<ipaddress>.*?)\s.*?((php|md5sum|cgi-bin|joomla).*?\s404\s[0-9]+$|\s400\s-)$

(edited 24-mar)


Jeff says he uses https://regex101.com/ for testing, FYI.
Last edited by Jaymer on Wed Mar 25, 2020 1:29 am, edited 1 time in total.
#53572 by Jaymer
Wed Mar 25, 2020 1:31 am
No, haven't tried that.
I had a tiny bug in my RE, but its fixed now and I edited my post. thx

Who is online

Users browsing this forum: No registered users and 10 guests