...
I've spent quite some time consistently monitoring access logs and understanding the various patterns malicious entities use when scanning for exploits. I find it very interesting (please tell me others other people sometimes just 'less +F' watch their apache logs while eating lunch...) and have noticed some interesting trends approaches here.
Anyways, once I understand the general attack approaches particular to my servers, I usually implement something like the excellent fail2ban to automagically (perma?)ban ip addresses. It always makes me smile when I see these requests hit my server and then see the (virtual) ban hammer drop on them 
.
...
Now, testing to verify that our apache-custom filter is working is extremely important. Regular expressions are very easy to mess up. Fail2ban comes with some nice tools that we can use to test our filter. We first need something to test against. I like to keep a log with actual (attack) requests to my server. Whenever I find a new pattern that I want to ban, I add an example the actual request to a samples.log file. For example, here is one which has actual requests to my server (and the actual ip addresses they came from - wo unto the ip addresses below, I hereby publicly shame thee!):
| View Git file | ||||||
|---|---|---|---|---|---|---|
|
...