Subject: Re: access_log?
From: Nathan A. McQuillen (nm@steaky.dhs.org)
Date: Fri Jan 25 2002 - 02:17:34 MST
Blocking the IPs seems pretty darned efficient to me. I don't know; I was
getting upwards of 400 unique virus hosts a night on Charter's cable
network, enough that the access light on my cable modem was pretty much
lit up steady much of the night.
Blocking the IPs is a breeze if you have php enabled, and the same script
can be used to compile lists of virus hosts to send to the abuse people at
your broadband provider, just in case they ever decide to do something
about all this.
Just my 2 cents, of course; have a good one.
- n2
> > That isn't entirely true- I've had the same IPs hit me different times
> > and dates. But I do agree that blocking the IPs wouldn't be very
> > efficient, it would be nice if we could just block the requests
> > themselves...
> >
> > I noticed that most of the offending IPs are in the form of 65.*.*.*, 65
> > in the first set of numbers in the IP... I'm on roadrunner, which is
> > 65.31.*.*, but some of the requests are from other ISPs. Any certain
> > pattern to the IPs that attack your servers?
>
> Yes, roadrunner, mediaone, attbi....
>
> For New England, I think all ip's start with 24.128....at least for now.
> That is where all the request are coming from. I sent in the edited access
> log to mediaone abuse. I know someone has a creative way of blocking the
> request but it's not very high on my priority list. I was just floored when
> I saw 2mb ( not really that big, but for a not public web server it is..) in
> the accerss log.
>
This archive was generated by hypermail 2a24 : Fri Jan 25 2002 - 02:32:12 MST