From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4A8C91382C5 for ; Tue, 12 Jan 2021 00:00:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 65E90E0A5A; Tue, 12 Jan 2021 00:00:15 +0000 (UTC) Received: from mail101c7.megamailservers.com (mail771.megamailservers.com [69.49.98.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6D805E09F1 for ; Tue, 12 Jan 2021 00:00:14 +0000 (UTC) X-Authenticated-User: admin@sys-concept.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=megamailservers.com; s=mailtor; t=1610409613; bh=I3U4LHWEYM9Dlqvh9SwhohcR6fgeFZbIaGGTNr0qLJE=; h=Subject:To:References:From:Date:In-Reply-To:From; b=agidntihT0d4TOtgl6ESNTqhs5sDUyUv6rgz4z2w/1w1vtgBJWhFsVrAJqkw5bhpH hn/36Urj8OoUllLkO2I6m213gKHflyqvKV7ybU6q/nPScqX+xx2URs2qeAAoghSeWp Sjlafpz+UexxVAiC2PvN4Dzdy+X4PDA/H9PYHPMA= Feedback-ID:thelma@sys-conc X-VIP: 69.49.109.100 Received: from [10.0.0.109] 184.69.242.18":"44185 ([184.69.242.18]) (authenticated bits=0) by mail101c7.megamailservers.com (8.14.9/8.13.1) with ESMTP id 10C00BBS026685 for ; Mon, 11 Jan 2021 19:00:13 -0500 Subject: Re: [gentoo-user] preventing some IP's from from being logged in apache To: gentoo-user@lists.gentoo.org References: <936902e6-845f-1a84-b543-82d90a5d769f@sys-concept.com> <7199466.EvYhyI6sBW@lenovo.localdomain> From: thelma@sys-concept.com Message-ID: <240ed30e-0c37-8cb2-33d9-468216661c64@sys-concept.com> Date: Mon, 11 Jan 2021 17:00:06 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <7199466.EvYhyI6sBW@lenovo.localdomain> Content-Type: text/plain; charset=utf-8 Content-Language: en-CA Content-Transfer-Encoding: 7bit X-CTCH-RefID: str=0001.0A742F16.5FFCE68D.0081:SCFSTAT54230205,ss=1,re=-4.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: -4.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CSC: 0 X-CHA: v=2.3 cv=J57UEzvS c=1 sm=1 tr=0 a=u3gW5Uk2xAGXuEgp5FffjQ==:117 a=u3gW5Uk2xAGXuEgp5FffjQ==:17 a=IkcTkHD0fZMA:10 a=046jbqsEAAAA:8 a=YcmGQttJ62LDmf76kiEA:9 a=QEXdDO2ut3YA:10 a=bGzDz6Hpkc7_N_b525It:22 X-VADE-SPAMSTATE: clean X-VADE-SPAMSCORE: 0 X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedujedrvdehvddgudehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecujffquffvqffrkfetpdfqfgfvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtgfesthejredttdefjeenucfhrhhomhepthhhvghlmhgrsehshihsqdgtohhntggvphhtrdgtohhmnecuggftrfgrthhtvghrnhepffekueffledvvdevfefhgfffkeduvdehfeehteekgfdujeehgfekheffheektddtnecukfhppedukeegrdeiledrvdegvddrudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepudekgedrieelrddvgedvrddukedphhgvlhhopegluddtrddtrddtrddutdelngdpmhgrihhlfhhrohhmpehthhgvlhhmrgesshihshdqtghonhgtvghpthdrtghomhdprhgtphhtthhopehgvghnthhoohdquhhsvghrsehlihhsthhsrdhgvghnthhoohdrohhrgh X-Origin-Country: CA X-Archives-Salt: 4e769f37-db4c-4189-8ea3-1f296f302dd5 X-Archives-Hash: 17e6a54bb741a41f74d5316ed6516c48 On 1/11/21 4:41 PM, Michael wrote: > On Monday, 11 January 2021 23:05:55 GMT thelma@sys-concept.com wrote: >> I've one persistent user (Russian IP) that is populating my apache log >> files. >> >> I tried 00_mod_log_config.conf >> >> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog >> CustomLog /var/log/apache2/deflate_log deflate env=!dontlog >> CustomLog /var/log/apache2/access_log common env=!dontlog >> >> But I still see this IP in my access_log. > > If it is the same IP address persistently attacking the server, I would be > tempted to block it, or the whole /24 subnet it belongs to, at the perimeter > firewall. Of course, persistent actors will hop off another IP address, so > there are diminishing returns in this game. I did block this IP and it is working Require not ip 45.93.201.0/24 I hardly resolve to blocking IP from log files, but if they try to ping/access your network 4 or 5 per second your log files will tend to grow. SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog didn't work. Just today from about 7am to 4pm about 96K pings from this IP.