Alert!!
Dale Sykora
dalen at czexan.net
Thu Sep 16 02:27:50 UTC 2004
Christopher K. Johnson wrote:
> Dale Sykora wrote:
>
>> Alexandar,
>> I want to thank you for all your thougful participation on this
>> list. Your words or wisdom have helped me on numerous occasions. Do
>> you know of any SIPTO type program or script? SIPTO (which I just
>> made up) means Source IP Time Out (think child behavior deterant). It
>> would watch the logs for admin defined bad behavior from a connecting
>> IP and then temporarily ban that IP (time-out via iptables) for 15
>> minutes or so after 3 occurances in a given time frame. For example,
>> SME server adds a denylog line to /var/log/messages when an external
>> IP tries to connect to a closed port. I would like something to watch
>> this 'tail -f?' and add an iptables rule to drop all connections from
>> this IP address for a short time frame (extendible if other attemps
>> are made). I would like this to be generic enough to shut down access
>> to zombies that try and send viruses thru my email server, or systems
>> that think I run IIS and look for cmd.com/etc... as well. Someone it
>> the past mentioned an IDS, but that seems CPU/network intensive. I
>> simple want to watch the logs and block the bad/zombie machines that
>> tend to fill the logs.
>> Any suggestions?
>>
>> Thanks,
>>
>> Dale
>
>
> Are you running iptables that you can alter on this firewall?
> If so then you might take a look at the limit module for starters. e.g.:
> # Logging what falls off the end of INPUT chain - but rate limited
> -A INPUT -i eth+ -m limit --limit 1/s --limit-burst 60 -j LOG
> --log-prefix IPTABLES_DROPPED:
>
> The rule will log any packets input to the firewall on any ethernet
> interface that were not already dropped or denied or accepted. But it
> will only log an average of one message per second, or less. Up to 60
> may be logged in the first second, but any that are will deplete the
> burst by that amount. And the burst counter only builds back up at 1/s
> to a maximum of 60.
>
> It is not specific to a particular set of annoying system ip addresses,
> but applied equally to all packets passing that rule.
> On the other hand it doesn't need any log watching or dynamic response
> mechanism.
>
> Chris
I am running iptables (SME is a RH7.3 derivative). I'll look into this.
It doesn't cover the mail/web server hits, but it is a start.
Thanks,
Dale
More information about the fedora-list
mailing list