[BlueOnyx:15247] Re: Dfix/Dfix2
Michael Stauber
mstauber at blueonyx.it
Tue Apr 22 20:58:36 -05 2014
Hi Will,
> Thanks for taking a look - in the case I'm dealing with (one of my
> users is website admin on about 40% of my server), it is accesslog-b2.
Edit /etc/sec/accesslog-apache.sec and find this block:
type=SingleWithThreshold
ptype=RegExp
pattern=^\S+\s(\S+)\s-\s\S+\s\[\S+\s\S+\]\s\"\S+ (.*) HTTP/\S.\S\" 404
\S+ \"(\S+)\" \"(.*)\"$
desc=accesslog-b2 $1
action=event BLOCK, $1, accesslog-b2
window=30
thresh=10
Comment it all out like this:
#type=SingleWithThreshold
#ptype=RegExp
#pattern=^\S+\s(\S+)\s-\s\S+\s\[\S+\s\S+\]\s\"\S+ (.*) HTTP/\S.\S\" 404
\S+ \"(\S+)\" \"(.*)\"$
#desc=accesslog-b2 $1
#action=event BLOCK, $1, accesslog-b2
#window=30
#thresh=10
Then restart DFIX: "/sbin/service sec restart"
That should take care of it. One of the pages that he accesses has a lot
of 404 errors. Enough to trigger a block. This is something he might
want to look at anyway. Or what else you could do: Adjust the last two
lines starting with "window" (defines the time in seconds) and
"treshold" (defines how often the rule needs to trigger within the given
timeframe before the offending IP is blocked.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list