Hi all,

From almost a year, I see requests like this in my Ruby on Rails application log:

Started GET "/webadmin/scripts/setup.php" for 72.167.252.231 at Sat Jan 15 19:33:56 +0000 2011
ActionController::RoutingError (No route matches "/webadmin/scripts/setup.php"):

Started GET "/webdb/scripts/setup.php" for 72.167.252.231 at Sat Jan 15 19:33:56 +0000 2011
ActionController::RoutingError (No route matches "/webdb/scripts/setup.php"):

Started GET "/fastenv" for 178.162.165.21 at Wed Jan 19 10:14:53 +0000 2011
ActionController::RoutingError (No route matches "/fastenv"):

Started GET "/webdav/" for 50.22.21.218 at Thu Jan 20 19:27:09 +0000 2011
ActionController::RoutingError (No route matches "/webdav"):

This is annoying, because these attacks eat resources from my linode. My first idea was to block these IPs with iptables. But the IPs used in these attacks rarely repeat, I have found more than 40 different IP numbers in the log file. So now I am inclined to use URL filtering, denying requests to ".php" pages and some specific URLs.

I know iptables isn't the right tool for this, would be squid the best choice?

Thank you,

Henrique

If handling nonexistent URLs is eating significant resources, your best choice would be to streamline your 404 handling somehow. You're on the Internet; there's some tens of millions of computers infected with worms or hijacked by botnets, and you'll never block them all.

_________________

/* TODO: need to add signature to posts */

There's always crud on the net hitting your server.

Unless it's targeted, or a ton of traffic, it's not worth worrying about or trying to prevent.

Pick a percentage (for me, it's 5% of my web traffic) and if it's less then that, just ignore it.