[BlueOnyx:15250] Re: Dfix/Dfix2
Will Nordmeyer, WnA Consulting Services
will at wnahosting.com
Wed Apr 23 08:07:01 -05 2014
On Tue, 22 Apr 2014 20:58:36 -0500, Michael Stauber
<mstauber at blueonyx.it> wrote:
> Hi Will,
>
>> Thanks for taking a look - in the case I'm dealing with (one of my
>> users is website admin on about 40% of my server), it is accesslog-b2.
>
> Edit /etc/sec/accesslog-apache.sec and find this block:
>
> type=SingleWithThreshold
> ptype=RegExp
> pattern=^\S+\s(\S+)\s-\s\S+\s\[\S+\s\S+\]\s\"\S+ (.*) HTTP/\S.\S\" 404
> \S+ \"(\S+)\" \"(.*)\"$
> desc=accesslog-b2 $1
> action=event BLOCK, $1, accesslog-b2
> window=30
> thresh=10
>
> Comment it all out like this:
>
> #type=SingleWithThreshold
> #ptype=RegExp
> #pattern=^\S+\s(\S+)\s-\s\S+\s\[\S+\s\S+\]\s\"\S+ (.*) HTTP/\S.\S\" 404
> \S+ \"(\S+)\" \"(.*)\"$
> #desc=accesslog-b2 $1
> #action=event BLOCK, $1, accesslog-b2
> #window=30
> #thresh=10
>
> Then restart DFIX: "/sbin/service sec restart"
>
> That should take care of it. One of the pages that he accesses has a lot
> of 404 errors. Enough to trigger a block. This is something he might
> want to look at anyway. Or what else you could do: Adjust the last two
> lines starting with "window" (defines the time in seconds) and
> "treshold" (defines how often the rule needs to trigger within the given
> timeframe before the offending IP is blocked.
Thanks Mike & Greg... I made the changes - I didn't disable it, but
increased the error/timeouts. We are in the process of migrating to a
new server (5108 from 5106) and she usually gets blocked when she's
migrating one of the specific sites. So I think as she's moving things
over she gets 404'ed during testing.
--Will
More information about the Blueonyx
mailing list