Block outdated clients 1

There can be problems with the destination file. A solution can be found in the post handle xt_recent from syslog-ng.

Due to numerous connects of outdated clients on my clamav-mirror (> 300,000 / day), i add single IP temporarily to the firewall.


Configure Apache HTTP-Server

The Access Log of apache must send to syslog-ng:

LogFormat "%v %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" mirrorlog

CustomLog "| /bin/logger -t apache2" mirrorlog

As long as the log file runs only through the pipe, no entries are stored. The configuration used here evaluates merely the log file. To receive an Access Log as a file, you must extend either syslog-ng by a destination or the apache-config by a CustomLog.

Configure syslog-ng

As we send the acces-log due logger direct to syslog-ng, it´s available via the normal source ‘internal’.

parser pattern_db {
db_parser ( file(/usr/local/var/patterndb.xml));

destination deny-mirror {

filter f_mirror {
match("" value(".apache.domain"))
and match ("403" value(".apache.request_status"));

log { 
destination (deny-mirror);

As every message runs through the parser pattern_db, we also need a pattern-db-file from syslog-ng with the following content:
(when you won´t use the pattern-db, you can also use the csv-parser from here)

<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='3' pub_date='2011-07-06'>
<ruleset id='1fba26d756011614557cf496fed7b5c0' name='apache'>
<rule class='apache.access_log' id='019045a7383c252e57c20435ae5bf86c' provider='fs'>
<pattern>@ESTRING:.apache.domain: @@IPv4:.apache.client_ip@ @ESTRING:.apache.ident_name: @@ESTRING:.apache.user_name: @@QSTRING:.apache.timestamp:[]@ @QSTRING:.apache.request_url:"@ @NUMBER:.apache.request_status@ @NUMBER:.apache.content_length@ @QSTRING:.apache.referer:"@ @QSTRING:.apache.user_agent:"@</pattern>

Configure iptables

iptables -N clamav-403
iptables -A INPUT -p tcp --dport 80 -m recent --rcheck --name clamav-403 --seconds 3600 --hitcount 5 -j DROP

How it works

Syslog-ng filters apache messages with the contents and 403. As destination /proc/net/xt_recent/clamav-403 is defined. The template adds the IP to the firewall. With reach from “hitcount” the IP is blocked “seconds”.

If you replace the _rcheck_ here with an _update_ statement, the block will last even longer. The _rcheck_ option means: we will block you for the next hour. While _update_ means: we don’t want to see you for an hour, but if we see you again during this time, we’ll block you again. It means that you actually need to be quiet for 60 minutes to be able to log in again.

By default xt_recent stores 100 IP addresses. You can change the limit with “modprobe ipt_recent ip_list_tot=10000” (here 10000). This is only possible before the first iptables rule is put on.


chmod 600 /sys/module/xt_recent/parameters/ip_list_tot

echo 10000 > /sys/module/xt_recent/parameters/ip_list_tot

chmod 400 /sys/module/xt_recent/parameters/ip_list_tot

to change ip_list_tot “on-the-fly”

Possibly related posts: (automatically generated)

Leave a comment

Your email address will not be published. Required fields are marked *

I confirm

One thought on “Block outdated clients