Re: [gentoo-user] Testing how secure a server is... - gentoo-user

From:	Willie Wong <wwong@×××××××××.EDU>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Testing how secure a server is...
Date:	Wed, 03 Aug 2005 20:57:13
Message-Id:	`20050803205222.GA9395@princeton.edu`
In Reply to:	Re: [gentoo-user] Testing how secure a server is... by Nagatoro

1

On Wed, Aug 03, 2005 at 10:01:58PM +0200, Nagatoro wrote:

2

> Willie Wong wrote:

3

> >I just have scripts that parse the server logs and look for trigger

4

> >conditions, at which time it blocks off the offending site or the

5

>

6

> Mind sharing those scripts?

7

>

8

9

Do not mind of course. But the scripts are really nothing to speak of. 

10

For example:

11

12

I put in conf.d/local.start

13

------

14

tail --follow=name /var/log/pwdfail/current | /usr/local/sbin/sshd_pwd_blklst.pl &

15

------

16

17

where the perl script is the following

18

19

------

20

#!/usr/bin/perl -w

21

# If an IP has more than 5 failed loging from SSH in the past 10, 

22

# we ban it for 1 hour.

23

# If an IP attempts to connect to a non-existing user, we ban it for 1

24

# hour

25

26

my @ip_addys;

27

while (<>) {

28

        if(m/sshd.*Invalid.user[^\d]*(\d+\.\d+\.\d+\.\d+)/){

29

                 system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr");

30

                 system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP");

31

                 system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP\" | at + 1 hour");

32

                 system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr\" | at + 1 hour");

33

}

34

        elsif(m/sshd[^\d]*(\d+\.\d+\.\d+\.\d+)/) {

35

                if((scalar @ipaddys) > 8) { shift(@ipaddys); }

36

                push(@ipaddys, $1);

37

                if(scalar (grep { $_ eq $1 } @ipaddys) > 4) { 

38

                        system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST");

39

                        system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP");

40

                        system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP\" | at + 1 hour");

41

                        system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST\" | at + 1 hour");

42

}

43

}

44

}

45

-----

46

As you can see... it is the most primitive type to just pass a regexp

47

through the log file, sets some counters, and bans some ip addys with

48

system calls to iptables. 

49

50

I used to also run something similar over /var/log/apache2/error_log

51

to parse against the common worm attacks.

52

53

W

54

--

55

   Be careful or be road-kill.

56

		  -- Calvin

57

Sortir en Pantoufles: up 3 days,  4:00

58

--

59

gentoo-user@g.o mailing list

Gentoo Archives: gentoo-user

Replies

1	On Wed, Aug 03, 2005 at 10:01:58PM +0200, Nagatoro wrote:
2	> Willie Wong wrote:
3	> >I just have scripts that parse the server logs and look for trigger
4	> >conditions, at which time it blocks off the offending site or the
5	>
6	> Mind sharing those scripts?
7	>
8
9	Do not mind of course. But the scripts are really nothing to speak of.
10	For example:
11
12	I put in conf.d/local.start
13	------
14	tail --follow=name /var/log/pwdfail/current \| /usr/local/sbin/sshd_pwd_blklst.pl &
15	------
16
17	where the perl script is the following
18
19	------
20	#!/usr/bin/perl -w
21	# If an IP has more than 5 failed loging from SSH in the past 10,
22	# we ban it for 1 hour.
23	# If an IP attempts to connect to a non-existing user, we ban it for 1
24	# hour
25
26	my @ip_addys;
27	while (<>) {
28	if(m/sshd.Invalid.user[^\d](\d+\.\d+\.\d+\.\d+)/){
29	system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr");
30	system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP");
31	system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP\" \| at + 1 hour");
32	system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr\" \| at + 1 hour");
33	}
34	elsif(m/sshd[^\d]*(\d+\.\d+\.\d+\.\d+)/) {
35	if((scalar @ipaddys) > 8) { shift(@ipaddys); }
36	push(@ipaddys, $1);
37	if(scalar (grep { $_ eq $1 } @ipaddys) > 4) {
38	system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST");
39	system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP");
40	system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP\" \| at + 1 hour");
41	system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST\" \| at + 1 hour");
42	}
43	}
44	}
45	-----
46	As you can see... it is the most primitive type to just pass a regexp
47	through the log file, sets some counters, and bans some ip addys with
48	system calls to iptables.
49
50	I used to also run something similar over /var/log/apache2/error_log
51	to parse against the common worm attacks.
52
53	W
54	--
55	Be careful or be road-kill.
56	-- Calvin
57	Sortir en Pantoufles: up 3 days, 4:00
58	--
59	gentoo-user@g.o mailing list