[plug] Re: Unwanted knocking
Daniel J. Axtens
danielax at gmail.com
Thu Jan 19 17:49:08 WST 2006
On 1/19/06, Jason Nicholls <jason at mindsocket.com.au> wrote:
> > I've had 125.234.250.153 knocking at my port 53 all night. Suggestions?
>
> I'm not sure whether what I'm about to dive into below is useful in this
> particular situation. But attacks are certainly common and some people
> may find this useful:
>
> There are definitely cases were a simple firewall rule isn't going to
> suffice to block attackers since the service may need to be open to the
> Internet for general use. ssh is a good example. Ideally if someone
> begins an attack then you want to block access automatically preventing
> further attacks.
>
> I wrote a an IP blocking utility that maintains an iptables
> blacklist. As long as there is some log for the script to tail which
> identifies the host by IP and some way to differentiate lines we're
> interested to other lines then it'd be easy to write a new handler. At
> the moment I have 3 handlers:
>
> - ssh
>
> our hosts are open to the internet since we access them from all
> over the place (hotels, etc...). We get a TON of attacks, this has
> significantly cut down on attacks usually blocking them within a
> minute (and sooner if I reduced the sample frequency).
>
> - portal
>
> this is a proprietary app, but really it's an apache access log
> handler identifying attacks by 2 methods, either too many error
> requests or .php|.jsp type requests (none of the pages are .php or
> .jsp so i can easily identify these as attacks). Same as above, we'd
> get so many attacks that eventually it'd lead to some quirkiness in
> portal requiring a restart every now and then.
>
> - sync
>
> now this handler is cool, basically you can have IP blocking tools
> running on multiple hosts with a shared pool of blocked IPs. i.e. an
> IP is blocked on host A which is communicated to all other hosts.
>
> Other notable points:
>
> - whitelist, these IPs are never banned
>
> - iptables is maintained automatically. i.e. script will add a blacklist
> chain and make sure it's in the input chain (if necessary), and also
> maintain the list of IPs in the blacklist chain.
>
> - script loads and saves it's config
>
> - blocked IPs expire out after 72hrs (configurable). We don't want the
> list to grow out of control for ever.
>
> Script is written in Perl and seems to use virtual nil resources on my
> hosts. However that would depend on sample frequency, number of logs
> you're looking at, and rate of entries written to the logs.
>
> Unfortunately I haven't had time to put this up, or document it, and of
> course there are probably environment specific things in there. However,
> if you are interested then let me know and I'll get you a copy.
>
>
> Jason Nicholls
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
>
--
Neuronstorm: neuronstorm.sourceforge.net
The Neuronstorm Blog: leinad-golb.blogspot.com
More information about the plug
mailing list