On Wed, Jan 24, 2001 at 01:51:00PM -0800, Denis R wrote:
> >>>>>
> >>Date: Mon, 22 Jan 2001 14:49:34 -0500
> >>From: "Michael H. Warfield" <[EMAIL PROTECTED]>
> >>Subject: Re: Ramen worm & port activity
> >>On Mon, Jan 22, 2001 at 01:48:00PM -0500, Burke, Thomas G. wrote:
> > Of course, the "Black hole" effect lasts only until the machine is rebooted.
> >> 1) Not necessarily. Particularly if you save the chains before
> >>shuting down (doesn't help if you pull the plug). [skip]
> >> 2) [skip] I don't see much sense
> >>in blocking out an address for more than 48 hours. If I do see
> >>returns from the same address across expirations, that's a system that
> >>I might want to notify someone about... :-/
> firewall solution. However, having looked through the portsentry.conf file
> and ipchains man pages, I can't find any means of putting a 24/48 hour
> expiration time on the denied IP.
It takes some front end scripting... The history file contains
a timestamp of when it was entered. You just need a cron job that looks
through that file, adjusting the time for and expiration and then for any
time after the last time it ran but before the current time for expiration.
Then for each of those, you run an "portsentry.unblock" script like the
one attached below.
> Can you advise me on how to do that as it looks like a great answer to my
> dilemma: either keeping a long blacklist of restricted IPs in
> /etc/rc.d/rc.firewall.blocked (which for most part are dynamically
> assigned) or having a temp 24 hour expiring list? Personally, I like the
> elegance of the latter one.
> Thanks!
> DR
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
== Begin attachment == /usr/local/psionic/portsentry/portsentry.unblock ==
#!/bin/sh -
# Unblock some address that's been previously been blocked...
# Set up some "fake" variable substitions so we can preserve the variables
# in the config file...
if test "$1" = "" ; then
echo 'What would you like me to unblock?'
exit 255
fi
if test `expr "$1" : '[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*$'` = 0 ; then
echo "Unable to gronk the address to be unblocked: $1"
exit 255
fi
ADDRESS=$1
TARGET='$TARGET'
PORT='$PORT'
# For firewall work, we really need an SADDR SPORT DADDR and DPORT
. /usr/local/psionic/portsentry/portsentry.conf
if test "$KILL_ROUTE" != "" ; then
# This needs to vary depending on the command...
B_COMMAND=`echo $KILL_ROUTE | sed -e 's/$TARGET\\$/'$ADDRESS/g`
COMMAND=`echo $B_COMMAND | sed -e 's/ .*//' -e 's/.*\///'`
case "$COMMAND" in
ipchains)
U_COMMAND=`echo $B_COMMAND | sed -e 's/-I//' -e 's/-A//' -e 's/ / -D
/'`
;;
ipfwadm)
;;
netfilter)
;;
*)
;;
esac
if test "$U_COMMAND" != "" ; then
echo executing $U_COMMAND
$U_COMMAND
fi
fi
if test "$KILL_HOSTS_DENY" != "" ; then
DENY=`echo $KILL_HOSTS_DENY | sed -e 's/$TARGET\\$/'$ADDRESS/g`
echo Removing $DENY
# We need a way to atomically remove the DENY line from hosts.deny...
# This one is prone to error if we block something at the same time
# we are unblocking... Maybe a lock file?
sed -e "/$DENY/d" < /etc/hosts.deny > /etc/hosts.deny-
if cmp -s /etc/hosts.deny /etc/hosts.deny- ; then
rm /etc/hosts.deny-
else
mv /etc/hosts.deny- /etc/hosts.deny
fi
fi
DATE=`date '+%s - %m/%d/%Y %T'`
echo "$DATE Host: $ADDRESS/$ADDRESS Unblocked" >>
/usr/local/psionic/portsentry/portsentry.history
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
