LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-24-2008, 04:24 PM   #1
CarLost
Member
 
Registered: Jun 2004
Location: Sentado en mi trasero en Chile
Distribution: ArchLinux
Posts: 45

Rep: Reputation: 16
Mod recent blocked related question (netfilter). WHO IS BLOCKED


I got a question to those who are using mod recent to block dynamically some IPs

I'm used it to block SMTP traffic (tcp:25) but I need a way to know who is bloqued, since mod recent put every single IP and block only the one who match a criteria.

Very thanks.!!!

PD: Sorry 4 bad English, I think I'm improving on that!
 
Old 07-24-2008, 05:48 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
You could probably start by looking in the /proc/net/ipt_recent directory.
 
Old 07-24-2008, 06:37 PM   #3
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,094
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
Instead of having recent do the drop directly instead send it to another section where it does a log then drop.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOG_THEN_DROP

iptables -A LOG_THEN_DROP -j LOG --log-level 7 --log-prefix "recent drop:"
iptables -A LOG_THEN_DROP -j DROP
 
Old 07-25-2008, 02:28 PM   #4
CarLost
Member
 
Registered: Jun 2004
Location: Sentado en mi trasero en Chile
Distribution: ArchLinux
Posts: 45

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by estabroo View Post
Instead of having recent do the drop directly instead send it to another section where it does a log then drop.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j LOG_THEN_DROP

iptables -A LOG_THEN_DROP -j LOG --log-level 7 --log-prefix "recent drop:"
iptables -A LOG_THEN_DROP -j DROP
Thanks I actually log on that way, but also I log a thousands of other (new)connections (audit) ... I mean, I have daily log of 2 or 3 GB so, I want to get the instant information about who ones are blocked at this moment.-

I'll put that I have right now!

Code:
iptables -A FORWARD  -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --name MadMail --set
iptables -A FORWARD  -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --seconds 20 --hitcount 5 --name MadMail --rcheck -j LOG --log-prefix "Blocked Mail--> "
iptables -A FORWARD  -p tcp --syn --dport 25 -m state --state NEW,INVALID -m recent --seconds 20 --hitcount 5 --name MadMail --update -j REJECT
Has I say before (but edited, who know why) Mod Recent put every single IP on the file "/proc/net/ipt_recent/MadMail" and upgrade only the "last seen" by some "machine_time" (or tic time) so, it is very hard to find who is blocked on a "right_now" query...

Any ideas? this may help to someone else to.

My log file is a really big file (take about half hour to compress every day) may you can provide a way to get the last 20 seconds and take off the blocked IPs of this file (grep, awk, sed etc. I know in some way how to work with this, but the last n seconds go far from my aknlge.)

Again thanks.
 
Old 07-26-2008, 06:40 PM   #5
estabroo
Senior Member
 
Registered: Jun 2008
Distribution: debian, ubuntu, sidux
Posts: 1,094
Blog Entries: 2

Rep: Reputation: 111Reputation: 111
You could use tail to get the last n lines of the log that would give you a good estimate of who was blocked recently.
 
Old 07-28-2008, 08:28 AM   #6
CarLost
Member
 
Registered: Jun 2004
Location: Sentado en mi trasero en Chile
Distribution: ArchLinux
Posts: 45

Original Poster
Rep: Reputation: 16
Yes thanks, I think this may be the only way for now..


Thanks

C.
 
Old 07-29-2008, 03:53 PM   #7
CarLost
Member
 
Registered: Jun 2004
Location: Sentado en mi trasero en Chile
Distribution: ArchLinux
Posts: 45

Original Poster
Rep: Reputation: 16
Hi, again

I made a little script to display the last blocked IPs from the iptables.log file

to anyone who want it!
Code:
#!/bin/bash
# Revisar correos bloqueados

FBl='/tmp/BlMail.txt'
tmpFile='/tmp/bltemp.txt'
echo -e "Primer Intento | Ultimo Intento | IP Origen | Intentos" > $FBl
tail -10000 /var/log/iptables.log | grep Mail | awk '{print $3 " " $8}' > $tmpFile
echo Trabajando espere 1/2 min......
for IP_n in `cat $tmpFile | awk '{print $2}' | sed s/SRC=//g`; do
        if ! `grep $IP_n $FBl > /dev/null`  ; then
          count=`grep -c $IP_n $tmpFile`
          first=`grep $IP_n $tmpFile | head -1 | awk '{print $1}'`
          last=`grep $IP_n $tmpFile | tail -1 | awk '{print $1}'`
          echo -e $first'\t'$last'\t'$IP_n'        \t'$count >> $FBl
        fi
done
cat $FBl
read
Bye
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
always blocked ... melainine Linux - Security 2 02-11-2008 11:02 PM
Blocked ports question proxy ? jlim0930 Linux - Networking 2 03-09-2007 03:09 PM
Making sure nothing is blocked Yig Linux - Security 3 12-15-2006 12:27 AM
Netfilter recent patch problem ~=gr3p=~ Linux - Security 2 07-16-2006 08:32 AM
Blocked bhughesiii Linux - Networking 9 05-12-2005 01:44 PM


All times are GMT -5. The time now is 11:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration