Alert!!

Christopher K. Johnson ckjohnson at gwi.net
Thu Sep 16 01:55:49 UTC 2004 

Dale Sykora wrote:

> Alexandar,
>     I want to thank you for all your thougful participation on this 
> list. Your words or wisdom have helped me on numerous occasions.  Do 
> you know of any SIPTO type program or script?  SIPTO (which I just 
> made up) means Source IP Time Out (think child behavior deterant).  It 
> would watch the logs for admin defined bad behavior from a connecting 
> IP and then temporarily ban that IP (time-out via iptables) for 15 
> minutes or so after 3 occurances in a given time frame.  For example, 
> SME server adds a denylog line to /var/log/messages when an external 
> IP tries to connect to a closed port.  I would like something to watch 
> this 'tail -f?' and add an iptables rule to drop all connections from 
> this IP address for a short time frame (extendible if other attemps 
> are made).  I would like this to be generic enough to shut down access 
> to zombies that try and send viruses thru my email server, or systems 
> that think I run IIS and look for cmd.com/etc... as well.  Someone it 
> the past mentioned an IDS, but that seems CPU/network intensive.  I 
> simple want to watch the logs and block the bad/zombie machines that 
> tend to fill the logs.
> Any suggestions?
>
> Thanks,
>
> Dale 

Are you running iptables that you can alter on this firewall?
If so then you might take a look at the limit module for starters.  e.g.:
# Logging what falls off the end of INPUT chain - but rate limited
-A INPUT -i eth+ -m limit --limit 1/s --limit-burst 60 -j LOG 
--log-prefix IPTABLES_DROPPED:

The rule will log any packets input to the firewall on any ethernet 
interface that were not already dropped or denied or accepted.  But it 
will only log an average of one message per second, or less.  Up to 60 
may be logged in the first second, but any that are will deplete the 
burst by that amount.  And the burst counter only builds back up at 1/s 
to a maximum of 60.

It is not specific to a particular set of annoying system ip addresses, 
but applied equally to all packets passing that rule.
On the other hand it doesn't need any log watching or dynamic response 
mechanism.

Chris
-- 

-----------------------------------------------------------
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #807000448202021

More information about the users mailing list