[ale] Ok Phew..

lollipopman691 lollipopman691 at proton.me
Mon Sep 22 14:36:11 EDT 2025 

Aright, I've installed mod_evasive ( https://github.com/jzdziarski/mod_evasive ) and ufw ( https://en.wikipedia.org/wiki/Uncomplicated_Firewall ) to deal with yet another horrific storm of nonsense hits on https://tomshiro.org .   Looks like mod_evasive is kinda working, anyways. We shall see what happens next.  So far, I am at fifteen blocked /16 addresses.  They appear to be from China, Vietnam, Korea, or ( the latest! ) Tajikistan, at least according to 
https://www.iplocation.net/ip-lookup . 

The address which mod_evasive Blacklisted appears to be from USA, Virginia.  Looks like an attaque tho. Here's a chunk of my log:

------------------
tomshiro.org:80 40.85.188.6 - - [22/Sep/2025:14:13:13 -0400] "GET /aa.php HTTP/1.1" 301 521 "-" "-"
tomshiro.org:443 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /aa.php HTTP/1.1" 404 2785 "-" "-"
tomshiro.org:80 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /abcd.php HTTP/1.1" 301 525 "-" "-"
tomshiro.org:443 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /abcd.php HTTP/1.1" 404 465 "-" "-"
tomshiro.org:80 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /about.php HTTP/1.1" 301 527 "-" "-"
tomshiro.org:443 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /about.php HTTP/1.1" 404 465 "-" "-"
tomshiro.org:80 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /admin.php HTTP/1.1" 301 527 "-" "-"
tomshiro.org:443 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /admin.php HTTP/1.1" 404 465 "-" "-"
tomshiro.org:80 40.85.188.6 - - [22/Sep/2025:14:13:14 -0400] "GET /adminfuns.php HTTP/1.1" 301 535 "-" "-"
------------------

A legit client (even a robot) would have a bunch of stuff after the first "-" specifying what it was, as:

tomshiro.org:443 52.22.64.232 - - [22/Sep/2025:14:29:57 -0400] "GET /foswiki/ALE/AtlantaLaptopRepair HTTP/1.1" 200 7026 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; Amazonbot/0.1; +https://developer.amazon.com/support/amazonbot) Chrome/119.0.6045.214 Safari/537.36"

I am glad I don't have PHP enabled on this server.

-- CHS


------- Forwarded Message -------
From: www-data <www-data at tomshiro.org>
Date: On Monday, September 22nd, 2025 at 2:13 PM
Subject: (No Subject)
To: charles.shapiro at tomshiro.org <charles.shapiro at tomshiro.org>


> 
> 
> To: charles.shapiro at tomshiro.org
> Subject: HTTP BLACKLIST 40.85.188.6
> 
> mod_evasive HTTP Blacklisted 40.85.188.6

More information about the Ale mailing list