[plug] Unwanted knocking

Jon Miller jlmiller at mmtnetworks.com.au
Fri Jan 20 02:19:54 WST 2006


Jason,
I would be interested in having a look at this if possible.

Thanks

>>> jason at mindsocket.com.au 5:36:46 pm 19/01/2006 >>>
> I've had 125.234.250.153 knocking at my port 53 all night.  Suggestions?

I'm not sure whether what I'm about to dive into below is useful in this
particular situation. But attacks are certainly common and some people
may find this useful:

There are definitely cases were a simple firewall rule isn't going to
suffice to block attackers since the service may need to be open to the
Internet for general use. ssh is a good example. Ideally if someone
begins an attack then you want to block access automatically preventing
further attacks.

I wrote a an IP blocking utility that maintains an iptables
blacklist. As long as there is some log for the script to tail which
identifies the host by IP and some way to differentiate lines we're
interested to other lines then it'd be easy to write a new handler. At
the moment I have 3 handlers:

- ssh

    our hosts are open to the internet since we access them from all
    over the place (hotels, etc...). We get a TON of attacks, this has
    significantly cut down on attacks usually blocking them within a
    minute (and sooner if I reduced the sample frequency).

- portal

    this is a proprietary app, but really it's an apache access log
    handler identifying attacks by 2 methods, either too many error
    requests or .php|.jsp type requests (none of the pages are .php or
    .jsp so i can easily identify these as attacks). Same as above, we'd
    get so many attacks that eventually it'd lead to some quirkiness in
    portal requiring a restart every now and then.

- sync

    now this handler is cool, basically you can have IP blocking tools
    running on multiple hosts with a shared pool of blocked IPs. i.e. an
    IP is blocked on host A which is communicated to all other hosts.

Other notable points:

- whitelist, these IPs are never banned

- iptables is maintained automatically. i.e. script will add a blacklist
  chain and make sure it's in the input chain (if necessary), and also
  maintain the list of IPs in the blacklist chain.

- script loads and saves it's config

- blocked IPs expire out after 72hrs (configurable). We don't want the
  list to grow out of control for ever.

Script is written in Perl and seems to use virtual nil resources on my
hosts. However that would depend on sample frequency, number of logs
you're looking at, and rate of entries written to the logs.

Unfortunately I haven't had time to put this up, or document it, and of
course there are probably environment specific things in there. However,
if you are interested then let me know and I'll get you a copy.


Jason Nicholls
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20060120/8ee65dbc/attachment.htm>


More information about the plug mailing list