Alert!!

Dale Sykora dalen at czexan.net
Thu Sep 16 02:27:50 UTC 2004


Christopher K. Johnson wrote:
> Dale Sykora wrote:
> 
>> Alexandar,
>>     I want to thank you for all your thougful participation on this 
>> list. Your words or wisdom have helped me on numerous occasions.  Do 
>> you know of any SIPTO type program or script?  SIPTO (which I just 
>> made up) means Source IP Time Out (think child behavior deterant).  It 
>> would watch the logs for admin defined bad behavior from a connecting 
>> IP and then temporarily ban that IP (time-out via iptables) for 15 
>> minutes or so after 3 occurances in a given time frame.  For example, 
>> SME server adds a denylog line to /var/log/messages when an external 
>> IP tries to connect to a closed port.  I would like something to watch 
>> this 'tail -f?' and add an iptables rule to drop all connections from 
>> this IP address for a short time frame (extendible if other attemps 
>> are made).  I would like this to be generic enough to shut down access 
>> to zombies that try and send viruses thru my email server, or systems 
>> that think I run IIS and look for cmd.com/etc... as well.  Someone it 
>> the past mentioned an IDS, but that seems CPU/network intensive.  I 
>> simple want to watch the logs and block the bad/zombie machines that 
>> tend to fill the logs.
>> Any suggestions?
>>
>> Thanks,
>>
>> Dale 
> 
> 
> Are you running iptables that you can alter on this firewall?
> If so then you might take a look at the limit module for starters.  e.g.:
> # Logging what falls off the end of INPUT chain - but rate limited
> -A INPUT -i eth+ -m limit --limit 1/s --limit-burst 60 -j LOG 
> --log-prefix IPTABLES_DROPPED:
> 
> The rule will log any packets input to the firewall on any ethernet 
> interface that were not already dropped or denied or accepted.  But it 
> will only log an average of one message per second, or less.  Up to 60 
> may be logged in the first second, but any that are will deplete the 
> burst by that amount.  And the burst counter only builds back up at 1/s 
> to a maximum of 60.
> 
> It is not specific to a particular set of annoying system ip addresses, 
> but applied equally to all packets passing that rule.
> On the other hand it doesn't need any log watching or dynamic response 
> mechanism.
> 
> Chris
I am running iptables (SME is a RH7.3 derivative).  I'll look into this. 
  It doesn't cover the mail/web server hits, but it is a start.

Thanks,

Dale





More information about the fedora-list mailing list