[AusNOG] Some pointers on dealing with a botnet targeting an application server

Fri Mar 2 09:43:47 EST 2012

On 02/03/12 07:38, Richard wrote:
> Hi Shane,
>
> Something like this may be of use:
>
> http://www.fail2ban.org/wiki/index.php/Main_Page
>
> You could use similar logic to take action at your border rather than on
> individual host machines. It should be pretty simple to grep evil GET
> requests from a HTTP log, awk out the correct field, then schedule the
> above to occur automatically.

+1 for fail2ban.  Set a fairly low maxretry (e.g. 2 or 3).

If it helps, i've got some puppet recipes for it here:
https://github.com/paulgear/puppet/tree/88c637a8825ff4cbc47a9759137cf4662396a0e3/modules/fail2ban