Alert!!
Ow Mun Heng
Ow.Mun.Heng at wdc.com
Thu Sep 16 02:41:41 UTC 2004
On Thu, 2004-09-16 at 09:34, Dale Sykora wrote:
> Do you know
> of any SIPTO type program or script? SIPTO (which I just made up) means
> Source IP Time Out (think child behavior deterant). It would watch the
> logs for admin defined bad behavior from a connecting IP and then
> temporarily ban that IP (time-out via iptables) for 15 minutes or so
> after 3 occurances in a given time frame. For example, SME server adds
> a denylog line to /var/log/messages when an external IP tries to connect
> to a closed port. I would like something to watch this 'tail -f?' and
> add an iptables rule to drop all connections from this IP address for a
> short time frame (extendible if other attemps are made). I would like
> this to be generic enough to shut down access to zombies that try and
> send viruses thru my email server, or systems that think I run IIS and
> look for cmd.com/etc... as well. Someone it the past mentioned an IDS,
> but that seems CPU/network intensive. I simple want to watch the logs
> and block the bad/zombie machines that tend to fill the logs.
Wouldn't portsentry do that? Then again, portsentry would only determine
if a port which is marked as "secure" shouldn't be touched by anyone
except a allowed list, and will deny that IP dynamically.
On the other hand, there's swatch which will watch the logs for you
based on regex expressions and I guess you can write a script for it to
parse when it detects malware
--
Ow Mun Heng
Fedora GNU/Linux Core 2 on D600 1.4Ghz CPU kernel
2.6.7-2.jul1-interactive
Neuromancer 10:39:42 up 1 day, 1:23, 6 users, load average: 0.56, 0.52,
0.68
More information about the fedora-list
mailing list