Tool to BAN IPs based on amount of requests and response codes.

Joseph Cabezas tdgh2323 at hotmail.com
Sun Jul 8 21:41:23 UTC 2012


   Hello all!!

Is there a log parser OR nginx module out there that can do this? 
I prefer this to be a tool that can invoke an iptables action, but not necessarily.
 
 
 BAN If an IP makes more then X requests per hour or day 
(limit zone module only limits based on r/m, and r/s)
EXAMPLE USE: No IP should be able to send 600 requests to a site with 60 pages per day.

BAN If an IP makes more then X requests to a SINGLE url per hour or day 

(this is not the same as the first, the first being any URL total, this being single URL total)
EXAMPLE USE: No IP should be able to send 60 requests as GET / per day.


BAN if an IP produces more then X requests per hour or day that result in 400, or 404 errors.
EXAMPLE USE: Only scanners generate more then 40 400s, or 404s to my site.

 
Fail2Ban doesnt work on this because it does not do accounting as far as I understand, i also understand that preferably the tool should work on RAM rather then parsing logs because of intensive IO consumption.
 

If it doesnt exist can anybody orientate me if one can be created and what could i base it off?


Joseph
 		 	   		  


More information about the nginx mailing list