Re: Alert!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Christopher K. Johnson wrote: 
Dale Sykora wrote:

Alexandar,
I want to thank you for all your thougful participation on this list. Your words or wisdom have helped me on numerous occasions. Do you know of any SIPTO type program or script? SIPTO (which I just made up) means Source IP Time Out (think child behavior deterant). It would watch the logs for admin defined bad behavior from a connecting IP and then temporarily ban that IP (time-out via iptables) for 15 minutes or so after 3 occurances in a given time frame. For example, SME server adds a denylog line to /var/log/messages when an external IP tries to connect to a closed port. I would like something to watch this 'tail -f?' and add an iptables rule to drop all connections from this IP address for a short time frame (extendible if other attemps are made). I would like this to be generic enough to shut down access to zombies that try and send viruses thru my email server, or systems that think I run IIS and look for cmd.com/etc... as well. Someone it the past mentioned an IDS, but that seems CPU/network intensive. I simple want to watch the logs and block the bad/zombie machines that tend to fill the logs.
Any suggestions?

Thanks,

Dale


Are you running iptables that you can alter on this firewall?
If so then you might take a look at the limit module for starters. e.g.:
# Logging what falls off the end of INPUT chain - but rate limited
-A INPUT -i eth+ -m limit --limit 1/s --limit-burst 60 -j LOG --log-prefix IPTABLES_DROPPED:

The rule will log any packets input to the firewall on any ethernet interface that were not already dropped or denied or accepted. But it will only log an average of one message per second, or less. Up to 60 may be logged in the first second, but any that are will deplete the burst by that amount. And the burst counter only builds back up at 1/s to a maximum of 60.

It is not specific to a particular set of annoying system ip addresses, but applied equally to all packets passing that rule.
On the other hand it doesn't need any log watching or dynamic response mechanism.

Chris
I am running iptables (SME is a RH7.3 derivative). I'll look into this. It doesn't cover the mail/web server hits, but it is a start.

Thanks,

Dale


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux