You're looking for fail2ban, a program which combines active log-monitoring with IP blacklisting and other response measures. You can configure it so that after "X" 404s from a single client, that client gets their IP blacklisted for Y hours. On Tue, Dec 13, 2011 at 9:34 AM, Jeffrey Moncrieff <jeffrey [ dot ] moncrieff [ at ] yahoo [ dot ] ca> wrote: > > > Hello > > I have am host a couple of virtual web servers at home. The sites are not that busy. But I am seeing a lot of 404 errors and this morning I was checking my daily logwatch report and I spotted some weird in the logs > > A total of 2 sites probed the server > 122.255.96.164 > 85.88.195.35 > > A total of 3 possible successful probes were detected (the following URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > /?file=../../../../../../proc/self/environ%00 HTTP Response 200 > /?mod=../../../../../../proc/self/environ%00 HTTP Response 200 > /?page=../../../../../../proc/self/environ%00 HTTP Response 200 > > I have since blocked those ip with iptables. But now I want to know if there is a script that I can run that automatically block suspected malicious ip's or do I just have baby sit the server and keep a closer eye on the logs. > > > Jeff > > Jeffrey Dean Moncrieff > Moncrieff consulting IT > Vancouver/Ottawa > Cell (613)298-6493 > jeffrey [ dot ] moncrieff [ at ] yahoo [ dot ] ca > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux -- Evil will always triumph, because good is dumb