Hello, I have already founded this log on my reverse proxy with loggin administrator. On my case, it's linked to test to connect to a Windows Server TSE. I compare log time and connection time on my FW and user test add more information. Many IP are banned with this log. On my case, isn't a dos, just a brute force. Eric. On Mon, 21 Oct 2019 at 16:12, Andreas Pfister <andi-pfister@gmx.ch> wrote:
Hi everyone, Today, my logfile (apache2) was full with thousands of thousands of requests like this:
85.14.109.184 - - [21/Oct/2019:14:57:33 +0200]
"\xad|\xf8*!\xc7\xf4%\xb4\x0e\x8aj\xc2\xa80\xc2k\xbbh\xdd\xfa\x06\xc3b\x0e\xd8L\x87\xd4\xbd\xd0\x02\x86\xfc\xc6\xe6\xd2\xc1\xad8\v0\r\xfb\xb83\x9d\xca^\xa8h\x97\x99\xad\x9a\xfd\xed\xe1\xd4\xbf^'\xfeg\xbe#\xf0\x9d\x80qM\xb2\xe3A\x8a$Z\x94\xc1*\xae\x11\xf4\x82\xe9\xd14wV\xef\x0ez\xe0\x83\xfe\x07\xab\x86d\xdfN\xb0N6\v\xa8\x1e{\xb0\xc1\xe9\xa3(\xd7E\xc7\xa2\x17\xce\xe5X\xdd@ \xc3\x12\xc5\xa8f\x84\xa7\x0e\xe9\xe3:\"\xb89\xb3\xa4u0\x91\xe4\xac\xe2\xb4P\v\x8c\n" 400 0 "-" "-"
For this reason, my mirror was not reachable much time. Sorry.
For me looks like a dos attack, but i am not sure. Anyone see this anytime in his logfiles or have any further idea/information?
Now, i solved the problem by blocking 851 different ip's and i think now running stable.
Greetings
Andi Pfister