Last active
February 23, 2022 04:57
-
-
Save hebrides/31e868e694de7ee8ca50965b7641c9ac to your computer and use it in GitHub Desktop.
Parse nginx error logs to find then deny suspicious IPs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!bin/bash | |
| # The first script (I) will show you locations of the bot servers / proxies. | |
| # The second (II) denies access. | |
| # NOTE: Use an automated service like fail2ban before using these scripts. | |
| # These are handy for bots that slip through the cracks. | |
| # | |
| # Ref: https://stackoverflow.com/questions/67812746/someone-made-some-wp-wlwmanifest-xml-http-requests-but-why | |
| # TODO: | |
| # 1) Add a filter denying all shady IPs from outside USA | |
| # 2) Investigate adding to weekly cron & sending mail / SMS on ERROR. | |
| # 3) Filter legitimate from abnormal requests | |
| # I. Search error log for likely attacks, then show locations: | |
| # (Note: Remove rip grep command for ALL locations.) | |
| # 1. Export log #2. Search for suspicious request #3. Get IP #4. Rm repeats #5. Rm blanks #6. Show address location info | |
| cat /var/log/nginx/error.log | rg "wp-login.php" | awk -F'client: ' '{ print $2}' | cut -d , -f 1 | awk '!seen[$0]++' | awk NF | xargs -n 1 -I ADDRESS curl https://ipinfo.io/ADDRESS | |
| # II. Add to nginx deny.conf file | |
| printf "\n# $(date '+%F %T')\n\n" >> /etc/nginx/conf.d/deny.conf; cat /var/log/nginx/error.log | rg "(wp-login.php|wp-includes)" | awk -F'client: ' '{ print $2}' | cut -d , -f 1 | awk '!seen[$0]++' | awk NF | xargs -I ADDRESS echo "deny ADDRESS;" >> /etc/nginx/conf.d/deny.conf | |
| ## III. Restart server | |
| service nginx reload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment