Non-rails, block ip address from nginx without logging to error.log?
Posted this to serverfault too, but I'm still stuck:
I have a server that keeps trying to brute force hack via xml-rpc post on a wordpress site (I know, I know). I've blocked the ip address in nginx.conf and noticed that I kept getting these errors in the log file, and since they are brute force, this is just a very, very slow DDOS (because they are causing log files to take space).
[error] 30912#0: *4600 access forbidden by rule, client:
I've searched for log file changes but it looks like it's all or nothing on 403 errors and that wouldn't help me (wouldn't see any others).
To combat this, I've tried blocking by firewall (using UFW wrapper around firewall tables) and added an entry on that shows as this in status:
Anywhere DENY XXX.XXX.X.XXX (redacted)
However, even after enabling the firewall rules, and checking to make sure they are running, when tailing the log file I still the same error entries 403 errors writing over and over again.
Any thoughts on how to make this hacker go away without filling up the log file? It's a virtual 14.04 LTS server.
Any thoughts or ideas? I'm getting error.log entries every second or more from this same ip address.
It's interesting that even with the firewall, they seem to still be getting through. Maybe it's not working? I'm not well brushed up on firewall rules as I should be, but does UFW basically do the same thing as setting iptables rules?
Also you may want to make sure your log files are being rotated with logrotate so they never become unwieldy in size. Doesn't really solve your problem of constant attack, but does prevent your files from getting huge.
Yep, pepkac will get you every time. I had log rotation on, but I've still burned through a large number of log files in last 3 weeks.
Also, in case anyone finds this UFW is a iptables wrapper that makes it super easy to insert new rows.
Also, request for a show about Fail2Ban which does a good job of automating the blocking of brute force attempts at SSH, POSTs, etc.