Re: [gentoo-user] Testing how secure a server is...

Wed, 03 Aug 2005 13:56:41 -0700 

On Wed, Aug 03, 2005 at 10:01:58PM +0200, Nagatoro wrote:
> Willie Wong wrote:
> >I just have scripts that parse the server logs and look for trigger
> >conditions, at which time it blocks off the offending site or the
> 
> Mind sharing those scripts?
> 

Do not mind of course. But the scripts are really nothing to speak of. 
For example:

I put in conf.d/local.start
------
tail --follow=name /var/log/pwdfail/current | 
/usr/local/sbin/sshd_pwd_blklst.pl &
------

where the perl script is the following

------
#!/usr/bin/perl -w
# If an IP has more than 5 failed loging from SSH in the past 10, 
# we ban it for 1 hour.
# If an IP attempts to connect to a non-existing user, we ban it for 1
# hour

my @ip_addys;
while (<>) {
        if(m/sshd.*Invalid.user[^\d]*(\d+\.\d+\.\d+\.\d+)/){
                 system("iptables -A ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr");
                 system("iptables -A ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j DROP");
                 system("echo \"iptables -D ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j DROP\" | at + 1 hour");
                 system("echo \"iptables -D ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST_invld_usr\" | at + 1 
hour");
        }
        elsif(m/sshd[^\d]*(\d+\.\d+\.\d+\.\d+)/) {
                if((scalar @ipaddys) > 8) { shift(@ipaddys); }
                push(@ipaddys, $1);
                if(scalar (grep { $_ eq $1 } @ipaddys) > 4) { 
                        system("iptables -A ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST");
                        system("iptables -A ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j DROP");
                        system("echo \"iptables -D ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j DROP\" | at + 1 hour");
                        system("echo \"iptables -D ssh_blacklist -s $1 -p tcp 
--destination-port ssh -j LOG --log-prefix AUTO_BLACKLIST\" | at + 1 hour");
                }
        }
}
-----
As you can see... it is the most primitive type to just pass a regexp
through the log file, sets some counters, and bans some ip addys with
system calls to iptables. 

I used to also run something similar over /var/log/apache2/error_log
to parse against the common worm attacks.

W
-- 
   Be careful or be road-kill.
                  -- Calvin
Sortir en Pantoufles: up 3 days,  4:00
-- 
gentoo-user@gentoo.org mailing list

Reply via email to