Re: Alert!!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Do, den 16.09.2004 schrieb Dale Sykora um 3:34:

> Alexandar,
> 	I want to thank you for all your thougful participation on this list. 
> Your words or wisdom have helped me on numerous occasions.  Do you know 

Hi Dale, thank you very much for your compliments. Though I am glad to
hear that some of my comment do really help people, I feel "words of
wisdom" is much too high :)

Back to the context ...

> of any SIPTO type program or script?  SIPTO (which I just made up) means 
> Source IP Time Out (think child behavior deterant).  It would watch the 
> logs for admin defined bad behavior from a connecting IP and then 
> temporarily ban that IP (time-out via iptables) for 15 minutes or so 
> after 3 occurances in a given time frame.  For example, SME server adds 
> a denylog line to /var/log/messages when an external IP tries to connect 
> to a closed port.  I would like something to watch this 'tail -f?' and 
> add an iptables rule to drop all connections from this IP address for a 
> short time frame (extendible if other attemps are made).  I would like 
> this to be generic enough to shut down access to zombies that try and 
> send viruses thru my email server, or systems that think I run IIS and 
> look for cmd.com/etc... as well.  Someone it the past mentioned an IDS, 
> but that seems CPU/network intensive.  I simple want to watch the logs 
> and block the bad/zombie machines that tend to fill the logs.
> Any suggestions?

> Dale

If you need something like an automatic log file observation tool, have
a look at swatch. A nice introducing article about that handy perl tool
is to be found at

http://www.fedoranews.org/ghenry/swatch/

Depending on the kind of "attacks" you face you migh consider psad to
automatically block attacker hosts IP based with iptables:

http://www.cipherdyne.com/psad/

It is better than the meanwhile unsupported portsentry, more
"intelligent", it uses snort rules.

Another way might be to enhance iptables by expanding it with
patch-o-matic so far unofficial modules like "string". The string module
can detect such webserver attacks (nimda etc.) where you see in your
apache log entries like "/cmd.com/..." or "/system/foo.exe". The
downside is that you will have to rebuild iptables as well the kernel's
iptables part. And of course on a system with much net traffic it can
decrease performance a lot.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp 
Serendipity 13:57:38 up 17 days, 11:14, load average: 0.58, 0.48, 0.35 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux