From several IP addresses my Apache 2.4 server got this entry turn in the logs. For the 88.* address I saw 178 entries. The timing interval is between 120 and 123 seconds, generally 122.
88.207.37.105 - - [20/May/2017:18:11:47 +0000] "POST / HTTP/1.1" 200 23110 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:13:49 +0000] "POST / HTTP/1.1" 200 19641 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:15:51 +0000] "POST / HTTP/1.1" 200 19629 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:17:53 +0000] "POST / HTTP/1.1" 200 23136 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:19:55 +0000] "POST / HTTP/1.1" 200 19661 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:21:56 +0000] "POST / HTTP/1.1" 200 19639 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:23:59 +0000] "POST / HTTP/1.1" 200 23136 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
88.207.37.105 - - [20/May/2017:18:26:01 +0000] "POST / HTTP/1.1" 200 19628 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
Addresses I've seen this from are:
45.46.40.146
88.207.37.105
70.127.16.147
104.236.51.98
73.54.23.213
76.194.129.233
182.65.9.117
Is this an attempt to trigger Slowloris; if so, why is it only 178 queries? Is this some kind of probe? How can I detect this using fail2ban?
Do I need more information to diagnose what's going on?
I'm presuming there's no negative effect, but it's filling my logs (I get very little valid traffic, it's almost exclusively hostile probes rather than valid traffic; I'd prefer to see as little of the hostile probing as possible).
Update
I've implemented POST logging, and put in place a fail2ban rule:
^."POST / HTTP/1.1" 200 \d+ "-".
When I get a hit like this:
75.166.150.58 - - [26/May/2017:20:19:57 +0000] "POST / HTTP/1.1" 200 22730 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)"
75.166.150.58 - - [26/May/2017:20:21:58 +0000] "POST / HTTP/1.1" 200 19730 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)"
I see this in the POST logging:
[Fri May 26 20:19:56.910629 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:57994] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:19:56.910713 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:57994] mod_dumpio: dumpio_in - 20014
[Fri May 26 20:19:56.910726 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:57994] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:56.910729 2017] [dumpio:trace7] [pid 24686:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:57994] mod_dumpio: dumpio_in - 103
[Fri May 26 20:19:57.373663 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:19:57.600659 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830272 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 17 bytes
[Fri May 26 20:19:57.830323 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): POST / HTTP/1.1\r\n
[Fri May 26 20:19:57.830340 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830350 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 49 bytes
[Fri May 26 20:19:57.830356 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Type: application/x-www-form-urlencoded\r\n
[Fri May 26 20:19:57.830364 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830384 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 105 bytes
[Fri May 26 20:19:57.830390 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)\r\n
[Fri May 26 20:19:57.830398 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830404 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 20 bytes
[Fri May 26 20:19:57.830409 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Host: 13.55.51.221\r\n
[Fri May 26 20:19:57.830426 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830428 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 21 bytes
[Fri May 26 20:19:57.830430 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Length: 544\r\n
[Fri May 26 20:19:57.830432 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830434 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT) : 25 bytes
[Fri May 26 20:19:57.830436 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Cache-Control: no-cache\r\n
[Fri May 26 20:19:57.830438 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:19:57.830440 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 2 bytes
[Fri May 26 20:19:57.830441 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): \r\n
[Fri May 26 20:19:57.830996 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [readbytes-blocking] 544 readbytes
[Fri May 26 20:19:57.831005 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(63): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): 544 bytes
[Fri May 26 20:19:57.831008 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(103): [client 75.166.150.58:57995] mod_dumpio: dumpio_in (data-TRANSIENT): Q6cMwNqbbGnrLl5JAdX4KhADlS5VgjCYjCiQAosXQIQWNQ4M96ktsXrihilXG9pJ6rx0F57/kgU/Den505ArYlds3entwcRvBrfSrRMpK0E/7MZ/g6/oRplLH1Vdd/BfftglJ/Ohi+/1U5WdkGVBgJb55AQ0UykVQc4+xeC+vAukp9TSc4xXa4J4xsDheaMKiHtxpLR1R8Ui805Y/lzdaYNYrlCvSH023W/EXfQ/5dDbfc5zm6d0tSEeENYwVaygD/T0kcDGuFAISYDYkXmMxuHUxO77cNCOMNEfZYEn9WiFxFZnYOb+fVLUxvkBeTpQhIBULjZqZ3Zm+UU/R4fvxqfxfdteCOBA+s90CyEZ4cNs/qOpygOiKlX67ckDmxpP08dDvKwbMeekL4+lNqgdI8u5TDN6Q1abl13KeEm+DvAfoTYCMvVnGLmcXClXX3e+nxnANdkcsd/JvjGdj8/JH+51EZLQi4a49T0hZxLZ8QNJOZKDsZRkibJBIj2xDAMctlu28GjbcVfOowAgF5PWS/jGC1MQAIA=
[Fri May 26 20:19:57.942403 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(140): [client 75.166.150.58:57995] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
[Fri May 26 20:19:57.943753 2017] [dumpio:trace7] [pid 24687:tid 140320591271680] mod_dumpio.c(151): [client 75.166.150.58:57995] mod_dumpio: dumpio_in - 11
[Fri May 26 20:21:58.710000 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [init-blocking] 0 readbytes
[Fri May 26 20:21:58.933562 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943419 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 17 bytes
[Fri May 26 20:21:58.943436 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): POST / HTTP/1.1\r\n
[Fri May 26 20:21:58.943445 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943448 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 49 bytes
[Fri May 26 20:21:58.943451 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Type: application/x-www-form-urlencoded\r\n
[Fri May 26 20:21:58.943454 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943456 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT) : 105 bytes
[Fri May 26 20:21:58.943459 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E)\r\n
[Fri May 26 20:21:58.943462 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943464 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 20 bytes
[Fri May 26 20:21:58.943467 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Host: 13.55.51.221\r\n
[Fri May 26 20:21:58.943469 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943471 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 21 bytes
[Fri May 26 20:21:58.943473 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Content-Length: 588\r\n
[Fri May 26 20:21:58.943476 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943478 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 25 bytes
[Fri May 26 20:21:58.943480 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): Cache-Control: no-cache\r\n
[Fri May 26 20:21:58.943482 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [getline-blocking] 0 readbytes
[Fri May 26 20:21:58.943484 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 2 bytes
[Fri May 26 20:21:58.943492 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): \r\n
[Fri May 26 20:21:58.943625 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [readbytes-blocking] 588 readbytes
[Fri May 26 20:21:58.943632 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(63): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): 588 bytes
[Fri May 26 20:21:58.943634 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(103): [client 75.166.150.58:58268] mod_dumpio: dumpio_in (data-TRANSIENT): EaxYwY/ObMZzC55ZNfIqJ7jo01xnYm4mllgnEYQLf0GZjMuL31ox6b6iKMdQfnql6Y1hIUq6dP701/FdlAX/NMgSnKD6Zn0onykSEVVykGwjiBZjhAcM02dW2VDUTb/eZ40NzWmkPrDJi8czUCkTXodfwV8y7Bya0STzhYj4D8gC99qAG30UImObAiDHNIkLheNyDX7lK4lbjunEBYRsPfUgkT1g62GKZRYkmM34JDo74NpsWx/5SHbSR0xX4fOxUzGrmBlY0EhlOjcZ6J0NZ0y42ix0jamuC7L2xHzAJ70w+Wxld7x/lGoLbYWfJcZwBIqwgiSNQDQo8okaJR5pK2Wd68G14PEhxeZpKoYhmjF7S9USjgKhtKA2fs+DegUtuobw57IagY+5ZPVihlOQyXXPR49Nny/VXZcZ6iqbxlbyZGqEQkCg+VLqPVO52YKG/opFtUTFTHr8o/rGO7/aUnUfagbdlbw8MFpAcVdz1R1D59RZ1sYCyRO5tEEc4EFd8rhwvXarXzpHWbNlnVJF6oTFUTjgP/QgKYuZT3uv3bGwLY0Kn9Ivg0K7EwC5rqoJOjoHJrCGjUM=
[Fri May 26 20:21:59.054773 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(140): [client 75.166.150.58:58268] mod_dumpio: dumpio_in [speculative-nonblocking] 1 readbytes
[Fri May 26 20:21:59.056133 2017] [dumpio:trace7] [pid 24687:tid 140320582878976] mod_dumpio.c(151): [client 75.166.150.58:58268] mod_dumpio: dumpio_in - 11
What is 75.166.150.58 trying to use my server to do to 13.55.51.221 (rdns lookup yields nothing)? Is it succeeding?
It does seem like probing. If your webserver and the applications on it are up to date, you did pretty much all you can. This is exactly the kind of thing you definitely want logged. Just get a log solution that allows searching through logs and histograms.
Whether you can use fail2ban depends on the legitimate traffic. If no legitimate traffic reached 150+ queries in 300 minutes, than you can configure fail2ban without affecting legitimate traffic.