LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-08-2006, 10:08 AM   #1
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Rep: Reputation: 15
block an IP based on certain activities...


I always see this when i check the error_log
Code:
[Wed Mar 08 11:11:42 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/mambo
[Wed Mar 08 11:11:43 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/cvs
[Wed Mar 08 11:11:44 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/articles
[Wed Mar 08 11:11:46 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/cvs
[client 69.50.241.226] script '/var/www/html/xmlrpc.php' not found or unable to stat
[Wed Mar 08 11:11:49 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blog
[Wed Mar 08 11:11:50 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blog
[Wed Mar 08 11:11:52 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blogs
[Wed Mar 08 11:11:53 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/drupal
[Wed Mar 08 11:11:57 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/phpgroupware
[Wed Mar 08 11:11:58 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/wordpress
[client 69.50.241.226] script '/var/www/html/xmlrpc.php' not found or unable to stat
[Wed Mar 08 11:12:01 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/xmlrpc
[Wed Mar 08 11:12:02 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/xmlsrv
This is not the first time...others did the same....so i'm wondering if there is a way to block an IP if he issued certain commands?? I can add this IP to my blocking list...but I want it to be done automatically...is this possible??
 
Old 03-08-2006, 11:15 AM   #2
jamuz
Member
 
Registered: Jun 2004
Location: MD USA
Distribution: Kubuntu 18.04.3, Mint 18.3 KDE
Posts: 90

Rep: Reputation: 15
If you are running iptables you can add to it a directive to drop all packets from this ip address. Google is your friend.
 
Old 03-08-2006, 01:55 PM   #3
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by jamuz
If you are running iptables you can add to it a directive to drop all packets from this ip address. Google is your friend.
Yes...this is what i've been doing...what i'm looking for is a way for this to be done by the system automatically...
 
Old 03-08-2006, 02:42 PM   #4
jonlake
Member
 
Registered: Apr 2004
Distribution: Slackware 11.0, Gentoo
Posts: 252

Rep: Reputation: 31
You might want to check this out
http://freshmeat.net/projects/fwsnort/ or
http://freshmeat.net/projects/blockit/
 
Old 03-08-2006, 03:05 PM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I've been using sshblack to block similar sorts of nonsense based on my Apache error_log. You just have to have it look at the proper log file and tell it which text strings to watch for. Works great.
 
Old 03-08-2006, 04:04 PM   #6
tomdkat
Member
 
Registered: May 2003
Location: S.F. Bay Area
Distribution: Ubuntu 9.04 AMD64
Posts: 595

Rep: Reputation: 30
Quote:
Originally Posted by Hangdog42
I've been using sshblack to block similar sorts of nonsense based on my Apache error_log. You just have to have it look at the proper log file and tell it which text strings to watch for. Works great.
Sweet! Thanks!

Peace...
 
Old 03-08-2006, 05:53 PM   #7
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
jonlake and Hangdog42:
many thanks.....i'll check the links this weekend.....i appreciate the suggestions.....
 
Old 03-08-2006, 08:44 PM   #8
Crito
Senior Member
 
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168

Rep: Reputation: 53
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy.
 
Old 03-09-2006, 06:56 AM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I agree that is a possibility, but it strikes me as an extremely remote possibility. The vast majority of the junk I see in my Apache and ssh logs are likely to be either zombies automatically looking for new machines to infect or dispstick script kiddies with no clue on how to spoof an IP address. I've never seen anyone attempt to use this against me, and even if they did, recovery would simply involve dropping a rule from iptables.
 
Old 03-09-2006, 07:26 AM   #10
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
Originally Posted by Crito
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy.
I think nowadays with linux kernel its not so easy to blind spoof. I guess this tool reacts on the data part.(*) So if it is HTTP/SSH/.. any TCP based protocol, he will need to do the 3way handshake and spoofing this is not that easy for the average joe.
If it is to block UDP then its a bad idea, it can turn against yourself.

(*)
If the tool blocks on an excessive amount of SYN (for example) which is only the first phase of 3way handshake (that is by definition "trivial" to spoof) then you are in trouble.

edit:
Anyway, your firewall SHOULD block incoming connections that have source ip=internal machine (database server). For this kind of architecture: database/webserver there are a lot more things to do like dmz, reverse proxy, 2 firewalls.

Last edited by nx5000; 03-09-2006 at 07:34 AM.
 
Old 03-09-2006, 11:11 AM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by nx5000
your firewall SHOULD block incoming connections that have source ip=internal machine
yeah, on linux you can enable this kinda anti-spoofing with a:
Code:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

Last edited by win32sux; 03-09-2006 at 11:34 AM.
 
Old 03-14-2006, 10:25 PM   #12
krasl
Member
 
Registered: Nov 2005
Distribution: Fedora 4
Posts: 40

Rep: Reputation: 15
Quote:
Originally Posted by Crito
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy.
Is it possible to configure these programs to never block certain IP addresses (such as your administrative IP address?)
 
Old 03-15-2006, 06:58 AM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Actually yes. SSHblack has a whitelist function and you simply add IP addresses that you never want blocked to that list. I completely spaced about this function in my earlier posts, but it does prevent someone from pulling the stunt Crito pointed out.
 
Old 04-06-2006, 08:22 PM   #14
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291

Rep: Reputation: 62
You may also try the iptables recent module and add some rules to slow down alot of those auto scripts, after a certain amount of connection attemps the ip-address is added to a list for a certain amount of time before being allowed to connect again, this is good if they spoof critical ip-address it won't kill anything. Try some rules like:

iptables -I INPUT -p tcp -i eth0 -m multiport --dport 80,443 -m state --state NEW -m recent --name webprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 -m multiport --dport 80,443 -m state --state NEW -m recent --name webprobe --update --seconds 60 --hitcount 3 --rttl -j DROP
 
Old 04-07-2006, 03:56 AM   #15
piforever
Member
 
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112

Original Poster
Rep: Reputation: 15
Thnx....I think someone in the past made a patch similar to this (reported in his blog) and we were supposed to patch the iptables first...Do you mean this module became standard now??? And if so, in which version???

Thnx for the tip, where can I have more info about this??

Last edited by piforever; 04-07-2006 at 12:04 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
unknown activities on Fedora 3 gaddargarson Fedora 2 04-04-2005 07:46 AM
how to track user's all activities? hensonliu Linux - Security 6 12-27-2004 02:09 PM
My network-based activities are slower than XP! rolandus Linux - Networking 2 04-17-2004 12:27 AM
Recording process activities (how?) gary.chan Linux - Software 1 08-16-2003 11:11 PM
track desktop activities rinux Linux - Newbie 1 05-28-2003 06:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration