Warning: file_put_contents(): Only 0 of 8322 bytes written, possibly out of free disk space in system/classes/filecache.php line 154
Warning: file_put_contents(): Only 0 of 303 bytes written, possibly out of free disk space in system/classes/filecache.php line 157
Bad Traffic and IPTables - RedAlt

I have a few resources on this site that are ripe for abuse. Particularly the Pingback and Trackback testing tool, Pingomation, which allows blog admins to test whether their blogs are correctly sending and receiving pingbacks and trackbacks without having to set up a separate blog themselves. (Actually, as of this writing, there is a glitch that is preventing this tool from working properly. Hopefully I'll be able to resolve that soon.)

My server became overloaded with requests this morning, so I needed a way to determine who the offenders were and quickly shut them down. The first thing I did was look through the Apache log for any suspicious activity:

tail -n50 /var/log/apache2/access.log

This command revealed a surprising number of attempts to use my Pingomation tool from various servers, as if they thought my site was some kind of announcement system. This needed to be curtailed. So I looked for the IP addresses of the most active offenders:

awk '/Pingomation/ {print $2}' /var/log/apache2/access.log | sort | uniq -c | sort -n

This command line does a bunch of stuff. The awk command grabs any log line with the word "Pingomation" in it (which would be any hit to that page on the site) and outputs the second (as indicated by the $2) column of the data, which is the IP address. These addresses are then sorted and passed to uniq -c which reduces multiple duplicate lines (this is why it must be sorted first) into a sing line with a count in the front. I then sort the results again numerically to see who has abused the site most.

At the end of the list were a few IP addresses that have hit that URL more than 200 times, one even hit it in excess of 700 times. This is just from today's log! This must be stopped. I fed each of these IP addresses into an iptables command to block access from that IP entirely, so that the request is stopped before it even bothers Apache:

iptables -I INPUT -s 80.243.189.146 -j DROP

This simply tells iptables to drop any traffic originating from the IP address 80.243.189.146, which is the most offensive host.

I was careful to filter the IP addresses for those used by Google and other search engines for spidering (there weren't any), since denying access to those addresses would ultimately remove my site from their search indexes.

Comments

There are no comments on this post.