On 1/11/21 5:00 PM, the...@sys-concept.com wrote: > On 1/11/21 4:41 PM, Michael wrote: >> On Monday, 11 January 2021 23:05:55 GMT the...@sys-concept.com wrote: >>> I've one persistent user (Russian IP) that is populating my apache log >>> files. >>> >>> I tried 00_mod_log_config.conf >>> >>> SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog >>> CustomLog /var/log/apache2/deflate_log deflate env=!dontlog >>> CustomLog /var/log/apache2/access_log common env=!dontlog >>> >>> But I still see this IP in my access_log. >> >> If it is the same IP address persistently attacking the server, I would be >> tempted to block it, or the whole /24 subnet it belongs to, at the perimeter >> firewall. Of course, persistent actors will hop off another IP address, so >> there are diminishing returns in this game. > > I did block this IP and it is working > Require not ip 45.93.201.0/24 > > I hardly resolve to blocking IP from log files, but if they try to > ping/access your network 4 or 5 per second your log files will tend to grow. > SetEnvIf Remote_Addr "45\.93\.201\.104" dontlog > didn't work. > > Just today from about 7am to 4pm about 96K pings from this IP.
I forgot to mention, my firewall doesn't have any capabilities to enter any configuration in IP tables. Maybe I'll look for one that does.
