Re: Alert!!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Christopher K. Johnson wrote:
Dale Sykora wrote:
Alexandar,
I want to thank you for all your thougful participation on this
list. Your words or wisdom have helped me on numerous occasions. Do
you know of any SIPTO type program or script? SIPTO (which I just
made up) means Source IP Time Out (think child behavior deterant). It
would watch the logs for admin defined bad behavior from a connecting
IP and then temporarily ban that IP (time-out via iptables) for 15
minutes or so after 3 occurances in a given time frame. For example,
SME server adds a denylog line to /var/log/messages when an external
IP tries to connect to a closed port. I would like something to watch
this 'tail -f?' and add an iptables rule to drop all connections from
this IP address for a short time frame (extendible if other attemps
are made). I would like this to be generic enough to shut down access
to zombies that try and send viruses thru my email server, or systems
that think I run IIS and look for cmd.com/etc... as well. Someone it
the past mentioned an IDS, but that seems CPU/network intensive. I
simple want to watch the logs and block the bad/zombie machines that
tend to fill the logs.
Any suggestions?
Thanks,
Dale
Are you running iptables that you can alter on this firewall?
If so then you might take a look at the limit module for starters. e.g.:
# Logging what falls off the end of INPUT chain - but rate limited
-A INPUT -i eth+ -m limit --limit 1/s --limit-burst 60 -j LOG
--log-prefix IPTABLES_DROPPED:
The rule will log any packets input to the firewall on any ethernet
interface that were not already dropped or denied or accepted. But it
will only log an average of one message per second, or less. Up to 60
may be logged in the first second, but any that are will deplete the
burst by that amount. And the burst counter only builds back up at 1/s
to a maximum of 60.
It is not specific to a particular set of annoying system ip addresses,
but applied equally to all packets passing that rule.
On the other hand it doesn't need any log watching or dynamic response
mechanism.
Chris
I am running iptables (SME is a RH7.3 derivative). I'll look into this.
It doesn't cover the mail/web server hits, but it is a start.
Thanks,
Dale
[Index of Archives]
[Current Fedora Users]
[Fedora Desktop]
[Fedora SELinux]
[Yosemite News]
[Yosemite Photos]
[KDE Users]
[Fedora Tools]
[Fedora Docs]