My server is currently seeing a flood of requests coming in to all open ports and successfully initiating bogus connections.
For example,
and
and
and so on in every available service, coming at a rate of about 25 requests per second for httpd alone. The server is holding up all right, but the situation could probably be improved.
I'm looking to find a way, locally, to start rejecting those IPs based on the above data patterns. Is there a ready-made open-source solution to this? These are not authentication attempts for which blacklistd seems to work fine, but rather simple connections. I've set KeepAlive to off in Apache, but other than that I'm not sure how to proceed and what to use. Any pointers?
For example,
"GET / HTTP/1.1" 200 147 "https://my.ip.here" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)"and
imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number (no auth attempts in 0 secs): user=<>, rip=216.24.216.109, lip=192.168.8.2, TLS handshaking: SSL_accept() failed: error:0A00010B:SSL routines::wrong version number, session=<8QKoixgj0NjYGNht>and
improper command pipelining after CONNECT from unknown[84.17.56.133]: rg\373\255W0o\3207y\202m=\276@Z|\305\321\356\236+o7\337\307\336\027r\323\307|A\264x\022\021\231\247K\344g\351\334n\366R8\274\322\b\0224n\260\263\376U\217\037uD'\326G\325\244\311\223\221$\307\001Q\263-w0\300k\261\261\241@Ao\212emN(\357\333^\341\036r\371\203\276and so on in every available service, coming at a rate of about 25 requests per second for httpd alone. The server is holding up all right, but the situation could probably be improved.
I'm looking to find a way, locally, to start rejecting those IPs based on the above data patterns. Is there a ready-made open-source solution to this? These are not authentication attempts for which blacklistd seems to work fine, but rather simple connections. I've set KeepAlive to off in Apache, but other than that I'm not sure how to proceed and what to use. Any pointers?