[plug] Unwanted knocking
Shannon Carver
shannon.carver at p-s-t.com.au
Sat Jan 21 09:28:30 WST 2006
Sorry All, didn't see Jason's last email..
And now I've sent two unrelated messages.. :P
-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of Shannon Carver
Sent: Saturday, 21 January 2006 9:27 AM
To: plug at plug.org.au
Subject: RE: [plug] Unwanted knocking
Jon,
I'd be interested in seeing how you did the iptables blacklisting if
possible, as well as the 72 hour time outs on bans.
Regards
Shannon Carver
-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On Behalf
Of Jon Miller
Sent: Friday, 20 January 2006 2:20 AM
To: plug at plug.org.au
Subject: Re: [plug] Unwanted knocking
Jason,
I would be interested in having a look at this if possible.
Thanks
>>> jason at mindsocket.com.au 5:36:46 pm 19/01/2006 >>>
> I've had 125.234.250.153 knocking at my port 53 all night. Suggestions?
I'm not sure whether what I'm about to dive into below is useful in this
particular situation. But attacks are certainly common and some people
may find this useful:
There are definitely cases were a simple firewall rule isn't going to
suffice to block attackers since the service may need to be open to the
Internet for general use. ssh is a good example. Ideally if someone
begins an attack then you want to block access automatically preventing
further attacks.
I wrote a an IP blocking utility that maintains an iptables
blacklist. As long as there is some log for the script to tail which
identifies the host by IP and some way to differentiate lines we're
interested to other lines then it'd be easy to write a new handler. At
the moment I have 3 handlers:
- ssh
our hosts are open to the internet since we access them from all
over the place (hotels, etc...). We get a TON of attacks, this has
significantly cut down on attacks usually blocking them within a
minute (and sooner if I reduced the sample frequency).
- portal
this is a proprietary app, but really it's an apache access log
handler identifying attacks by 2 methods, either too many error
requests or .php|.jsp type requests (none of the pages are .php or
.jsp so i can easily identify these as attacks). Same as above, we'd
get so many attacks that eventually it'd lead to some quirkiness in
portal requiring a restart every now and then.
- sync
now this handler is cool, basically you can have IP blocking tools
running on multiple hosts with a shared pool of blocked IPs. i.e. an
IP is blocked on host A which is communicated to all other hosts.
Other notable points:
- whitelist, these IPs are never banned
- iptables is maintained automatically. i.e. script will add a blacklist
chain and make sure it's in the input chain (if necessary), and also
maintain the list of IPs in the blacklist chain.
- script loads and saves it's config
- blocked IPs expire out after 72hrs (configurable). We don't want the
list to grow out of control for ever.
Script is written in Perl and seems to use virtual nil resources on my
hosts. However that would depend on sample frequency, number of logs
you're looking at, and rate of entries written to the logs.
Unfortunately I haven't had time to put this up, or document it, and of
course there are probably environment specific things in there. However,
if you are interested then let me know and I'll get you a copy.
Jason Nicholls
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au
More information about the plug
mailing list