Am Do, den 16.09.2004 schrieb Dale Sykora um 3:34: > Alexandar, > I want to thank you for all your thougful participation on this list. > Your words or wisdom have helped me on numerous occasions. Do you know Hi Dale, thank you very much for your compliments. Though I am glad to hear that some of my comment do really help people, I feel "words of wisdom" is much too high :) Back to the context ... > of any SIPTO type program or script? SIPTO (which I just made up) means > Source IP Time Out (think child behavior deterant). It would watch the > logs for admin defined bad behavior from a connecting IP and then > temporarily ban that IP (time-out via iptables) for 15 minutes or so > after 3 occurances in a given time frame. For example, SME server adds > a denylog line to /var/log/messages when an external IP tries to connect > to a closed port. I would like something to watch this 'tail -f?' and > add an iptables rule to drop all connections from this IP address for a > short time frame (extendible if other attemps are made). I would like > this to be generic enough to shut down access to zombies that try and > send viruses thru my email server, or systems that think I run IIS and > look for cmd.com/etc... as well. Someone it the past mentioned an IDS, > but that seems CPU/network intensive. I simple want to watch the logs > and block the bad/zombie machines that tend to fill the logs. > Any suggestions? > Dale If you need something like an automatic log file observation tool, have a look at swatch. A nice introducing article about that handy perl tool is to be found at http://www.fedoranews.org/ghenry/swatch/ Depending on the kind of "attacks" you face you migh consider psad to automatically block attacker hosts IP based with iptables: http://www.cipherdyne.com/psad/ It is better than the meanwhile unsupported portsentry, more "intelligent", it uses snort rules. Another way might be to enhance iptables by expanding it with patch-o-matic so far unofficial modules like "string". The string module can detect such webserver attacks (nimda etc.) where you see in your apache log entries like "/cmd.com/..." or "/system/foo.exe". The downside is that you will have to rebuild iptables as well the kernel's iptables part. And of course on a system with much net traffic it can decrease performance a lot. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 13:57:38 up 17 days, 11:14, load average: 0.58, 0.48, 0.35
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
