PF DoS - How to extract IP addresses from Apache access.log?

Aknot · 2025-10-11T09:06:07+0100

I'm having an ongoing DoS to a certain directory on our Apache web server.

There are a few hundred requests at once, every one to five minutes, always to the same directory, always from the same IP addresses.

As a quick solution, I have removed that directory, making Apache generate a 404 response, and not overload the server.
Otherwise, the server is spiking in CPU, and sometimes dies due to memory issues.

I have both mod evasive and fail2ban installed, but I find them difficult to configure for this.

Is it possible to extract all the IP addresses from
httpd-access.log with awk, cat or grep?
This is how a request looks like:

Code:

123.123.123.123 - - [11/Oct/2025:07:49:48 +0200] 946 69303 "GET /wheels/cars?size=354%2C357%2C458%2C529%2C543 HTTP/1.1" 404 59341 "-" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/3.1)" www.domain.xyz 443

I need to find a way to set at least two rules e.g status code 404 and target directory "/wheels/cars?size".
There are a lot of examples, but none with two rules.

Thanks,

covacat · 2025-10-11T09:10:51+0100

i don't see an ip addr on that line

VladiBG · 2025-10-11T09:47:28+0100

Use fail2ban

failregex = ^<ADDR> \S+ \S+[^"]*"[A-Z]+ /%(baduri)s[^\"]*" 404\s

Apache2 - ban if too many 404 requests · fail2ban fail2ban · Discussion #3639

Hallo is it possible to ban IPs which are flooding my Apache2 server (Ubuntu 18.04) with too many 404 requests? I created once a service for getting the own IP, posted it in a forum for free use, b...

github.com

also you can rate limit the number of the connection per ip address

Code:

         block quick from <bad_hosts>
         pass in on    $ext_if    proto tcp to $webserver    port www keep state \
             (max-src-conn-rate    100/10,    overload <bad_hosts> flush global)

same goes for 443

pf.conf(5)

man.freebsd.org

Aknot · 2025-10-11T09:54:49+0100

covacat said:
i don't see an ip addr on that line

This is the example IP address: 123.123.123.123

Aknot · 2025-10-11T09:59:35+0100

VladiBG said:
Use fail2ban

Apache2 - ban if too many 404 requests · fail2ban fail2ban · Discussion #3639

Hallo is it possible to ban IPs which are flooding my Apache2 server (Ubuntu 18.04) with too many 404 requests? I created once a service for getting the own IP, posted it in a forum for free use, b...

github.com

also you can rate limit the number of the connection per ip address

Code:

block quick from <bad_hosts> pass in on $ext_if proto tcp to $webserver port www keep state \ (max-src-conn-rate 100/10, overload <bad_hosts> flush global)

same goes for 443

pf.conf(5)

man.freebsd.org

It seems to be a distributed attack, all the hundreds of requests have different IP addresses, so I think it would be easiest to block them manually for now.
But I need to look into the regex of fail2ban apache get dos filter - so thanks for the link.

covacat · 2025-10-11T10:09:14+0100

awk '($11 == "404") {print $1}' /var/log/access.log|uniq -c |sort -n
this will have the ips with most failed tries at the bottom
if you don't care about this just pipe the awk command thru sort -u

Aknot · 2025-10-11T12:19:08+0100

Fantastic, thanks a lot!!

Would it be possible to also set the target directory "wheels/cars" as a string to search for?

Like:

Code:

awk '($11 == "404" && $8 like "/cars/wheels") {print $1}' /var/log/access.log|uniq -c |sort -n

covacat · 2025-10-11T13:03:01+0100

awk '($11 == "404" && substr($9,1,12) == "/wheels/cars") {print $1}'

Aknot · 2025-10-11T15:14:51+0100

covacat said:
awk '($11 == "404" && substr($9,1,12) == "/wheels/cars") {print $1}'

Thank you

I'm away from keyboard right now, testing it when I'm back!!