Follow-up on Adaptive Firewalling w/Swatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Coincidentally, last night, at about 17:00 we suffered an intensive
DDoS via CGI. The unique client count is now over 3,000. Fortunately I
was running a tail at the time and noticed it pretty quickly which
allowed me to restore order relatively quickly.

I brought up another instance of swatch on for the access_log which
has been watching for the DoS pattern. On hits, it  passes the IP of
the attacker to a script that adds firewall rules.

The initialization looks like:

/usr/bin/swatch --use-cpan-file-tail --config-file=/etc/swatch2.conf \ 
--daemon --awk-field-syntax --tail-file=/var/log/httpd/access_log

The conf file looks like:

watchfor        /RegEx Pattern of Exploit/i
        exec "/usr/local/bin/ipt-ddos $1"


-- 
      Do NOT Send Email to <spam trap> Fedora@TQMcube,com
Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com
               Don't Subsidize Criminals: http://boulderpledge.org


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux