Kenneth Porter wrote:
Right. The iptables limit module is good for throttling iptables
logging, but what we need is something to block application (Apache,
sendmail) logging by dynamically firewalling misbehaved clients (eg.
zombies).
Yes! That is more generically the functionality I am looking for.
Perhaps this could easily be done in a few perl ( one of the few
languages I have experience with:() scripts.
#naive programing below
#insert deny rule
;pipe log file to $_
if( /some daemon/ ) {
if( /some alert/ ) {
/SIP filter string/;
$sip = $&;
echo >> "deny all from $sip rule " etc/iptables-config-file;
echo >> "timestamp for $sip rule" someotherlogfile;
system("service iptables restart");
}
}
#expire deny rule
cron job to remove expired deny rules
