1 |
On Wed, Aug 03, 2005 at 10:01:58PM +0200, Nagatoro wrote: |
2 |
> Willie Wong wrote: |
3 |
> >I just have scripts that parse the server logs and look for trigger |
4 |
> >conditions, at which time it blocks off the offending site or the |
5 |
> |
6 |
> Mind sharing those scripts? |
7 |
> |
8 |
|
9 |
Do not mind of course. But the scripts are really nothing to speak of. |
10 |
For example: |
11 |
|
12 |
I put in conf.d/local.start |
13 |
------ |
14 |
tail --follow=name /var/log/pwdfail/current | /usr/local/sbin/sshd_pwd_blklst.pl & |
15 |
------ |
16 |
|
17 |
where the perl script is the following |
18 |
|
19 |
------ |
20 |
#!/usr/bin/perl -w |
21 |
# If an IP has more than 5 failed loging from SSH in the past 10, |
22 |
# we ban it for 1 hour. |
23 |
# If an IP attempts to connect to a non-existing user, we ban it for 1 |
24 |
# hour |
25 |
|
26 |
my @ip_addys; |
27 |
while (<>) { |
28 |
if(m/sshd.*Invalid.user[^\d]*(\d+\.\d+\.\d+\.\d+)/){ |
29 |
system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr"); |
30 |
system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP"); |
31 |
system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP\" | at + 1 hour"); |
32 |
system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr\" | at + 1 hour"); |
33 |
} |
34 |
elsif(m/sshd[^\d]*(\d+\.\d+\.\d+\.\d+)/) { |
35 |
if((scalar @ipaddys) > 8) { shift(@ipaddys); } |
36 |
push(@ipaddys, $1); |
37 |
if(scalar (grep { $_ eq $1 } @ipaddys) > 4) { |
38 |
system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST"); |
39 |
system("iptables -A ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP"); |
40 |
system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j DROP\" | at + 1 hour"); |
41 |
system("echo \"iptables -D ssh_blacklist -s $1 -p tcp --destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST\" | at + 1 hour"); |
42 |
} |
43 |
} |
44 |
} |
45 |
----- |
46 |
As you can see... it is the most primitive type to just pass a regexp |
47 |
through the log file, sets some counters, and bans some ip addys with |
48 |
system calls to iptables. |
49 |
|
50 |
I used to also run something similar over /var/log/apache2/error_log |
51 |
to parse against the common worm attacks. |
52 |
|
53 |
W |
54 |
-- |
55 |
Be careful or be road-kill. |
56 |
-- Calvin |
57 |
Sortir en Pantoufles: up 3 days, 4:00 |
58 |
-- |
59 |
gentoo-user@g.o mailing list |