My server is under attack, it is flooded with request with the following pattern:
Thousands of IPs
Each IP request the same page "GET / HTTP/1.1" with the same referrer 3-5 times per second (same timestamp).
So what I would need is a small shell script which takes the input from "tail -f /var/www/log/access.log" and parses the same for repeated requests with the same timestamp (say 2 request for the same page with same referrer and same time) and adds a iptable rule to drop all packets from this IP.
Best Answer
Have a look at Fail2Ban and at this Howto for an example of filters for Apache log files.
Here's an example that should accomplish what you ask. Please see the manual and adjust to your needs:
/etc/fail2ban/filters.d/apache-attackers.conf
/etc/fail2ban/local.jail
Enable
fail2ban
at startup (RHEL/CentOS) and launch it:Note: Tested on RHEL/CentOS, your mileage may vary.