I recently got with Jeff and he made me a script to check my Tomcat ports for the assholes.
I wish real life fishing was this easy ... my ban log grows daily with these RDP attempts that it catches out of the box. Its nice!
anyway, here's what he sent me to add into his config file:
Code: Select all
<!-- Apache Tomcat failed attempts, Windows -->
<LogFile>
<Source>Apache</Source>
<PathAndMask>
C:/AwareIM/Tomcat/logs/*access_log*.txt
</PathAndMask>
<Recursive>true</Recursive>
<FailedLoginRegex>
<![CDATA[
^(?<ipaddress>.*?)\s.*?(php|cgi-bin).*?\s404\s[0-9]+$
]]>
</FailedLoginRegex>
<PlatformRegex>Windows</PlatformRegex>
<PingInterval>10000</PingInterval>
<MaxFileSize>16777216</MaxFileSize>
</LogFile>
The RegEx finds lines and bans matches.
I DO NOT have any php/cgi-bin activity, so I ban all that - if you do, then you'll have a tougher job.
Since his 1st email, I found more attempts in my log where guys were just hitting the server, not specifically using "php" yet ... like just seeing if there's something out there.
So instead of a 404 error, they were getting 400.
Code: Select all
Line 17: 99.240.148.76 - - [15/Mar/2020:09:43:32 -0400] "GET / HTTP/1.1" 400 -
Line 20: 93.65.211.247 - - [15/Mar/2020:11:55:11 -0400] "GET / HTTP/1.1" 400 -
Line 144: 222.186.19.221 - - [15/Mar/2020:15:56:16 -0400] "CONNECT ip.ws.126.net:443 HTTP/1.1" 400 -
Line 169: 52.149.53.107 - - [15/Mar/2020:19:41:39 -0400] "OPTIONS / null" 400 -
So here's another modified RegEx to get them:
Code: Select all
^(?<ipaddress>.*?)\s.*?((php|md5sum|cgi-bin|joomla).*?\s404\s[0-9]+$|\s400\s-)$
Jeff says he uses https://regex101.com/ for testing, FYI.