Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
|
03-08-2006, 11:08 AM
|
#1
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Rep:
|
block an IP based on certain activities...
I always see this when i check the error_log
Code:
[Wed Mar 08 11:11:42 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/mambo
[Wed Mar 08 11:11:43 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/cvs
[Wed Mar 08 11:11:44 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/articles
[Wed Mar 08 11:11:46 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/cvs
[client 69.50.241.226] script '/var/www/html/xmlrpc.php' not found or unable to stat
[Wed Mar 08 11:11:49 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blog
[Wed Mar 08 11:11:50 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blog
[Wed Mar 08 11:11:52 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/blogs
[Wed Mar 08 11:11:53 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/drupal
[Wed Mar 08 11:11:57 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/phpgroupware
[Wed Mar 08 11:11:58 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/wordpress
[client 69.50.241.226] script '/var/www/html/xmlrpc.php' not found or unable to stat
[Wed Mar 08 11:12:01 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/xmlrpc
[Wed Mar 08 11:12:02 2006] [error] [client 69.50.241.226] File does not exist: /var/www/html/xmlsrv
This is not the first time...others did the same....so i'm wondering if there is a way to block an IP if he issued certain commands?? I can add this IP to my blocking list...but I want it to be done automatically...is this possible??
|
|
|
03-08-2006, 12:15 PM
|
#2
|
Member
Registered: Jun 2004
Location: MD USA
Distribution: Kubuntu 18.04.3, Mint 18.3 KDE
Posts: 90
Rep:
|
If you are running iptables you can add to it a directive to drop all packets from this ip address. Google is your friend.
|
|
|
03-08-2006, 02:55 PM
|
#3
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
Quote:
Originally Posted by jamuz
If you are running iptables you can add to it a directive to drop all packets from this ip address. Google is your friend.
|
Yes...this is what i've been doing...what i'm looking for is a way for this to be done by the system automatically...
|
|
|
03-08-2006, 03:42 PM
|
#4
|
Member
Registered: Apr 2004
Distribution: Slackware 11.0, Gentoo
Posts: 252
Rep:
|
|
|
|
03-08-2006, 04:05 PM
|
#5
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
I've been using sshblack to block similar sorts of nonsense based on my Apache error_log. You just have to have it look at the proper log file and tell it which text strings to watch for. Works great.
|
|
|
03-08-2006, 05:04 PM
|
#6
|
Member
Registered: May 2003
Location: S.F. Bay Area
Distribution: Ubuntu 9.04 AMD64
Posts: 595
Rep:
|
Quote:
Originally Posted by Hangdog42
I've been using sshblack to block similar sorts of nonsense based on my Apache error_log. You just have to have it look at the proper log file and tell it which text strings to watch for. Works great.
|
Sweet! Thanks!
Peace...
|
|
|
03-08-2006, 06:53 PM
|
#7
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
jonlake and Hangdog42:
many thanks.....i'll check the links this weekend.....i appreciate the suggestions..... 
|
|
|
03-08-2006, 09:44 PM
|
#8
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy. 
|
|
|
03-09-2006, 07:56 AM
|
#9
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
I agree that is a possibility, but it strikes me as an extremely remote possibility. The vast majority of the junk I see in my Apache and ssh logs are likely to be either zombies automatically looking for new machines to infect or dispstick script kiddies with no clue on how to spoof an IP address. I've never seen anyone attempt to use this against me, and even if they did, recovery would simply involve dropping a rule from iptables.
|
|
|
03-09-2006, 08:26 AM
|
#10
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Quote:
Originally Posted by Crito
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy. 
|
I think nowadays with linux kernel its not so easy to blind spoof. I guess this tool reacts on the data part.(*) So if it is HTTP/SSH/.. any TCP based protocol, he will need to do the 3way handshake and spoofing this is not that easy for the average joe.
If it is to block UDP then its a bad idea, it can turn against yourself.
(*)
If the tool blocks on an excessive amount of SYN (for example) which is only the first phase of 3way handshake (that is by definition "trivial" to spoof) then you are in trouble.
edit:
Anyway, your firewall SHOULD block incoming connections that have source ip=internal machine (database server). For this kind of architecture: database/webserver there are a lot more things to do like dmz, reverse proxy, 2 firewalls.
Last edited by nx5000; 03-09-2006 at 08:34 AM.
|
|
|
03-09-2006, 12:11 PM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by nx5000
your firewall SHOULD block incoming connections that have source ip=internal machine
|
yeah, on linux you can enable this kinda anti-spoofing with a:
Code:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
Last edited by win32sux; 03-09-2006 at 12:34 PM.
|
|
|
03-14-2006, 11:25 PM
|
#12
|
Member
Registered: Nov 2005
Distribution: Fedora 4
Posts: 40
Rep:
|
Quote:
Originally Posted by Crito
Thing that scares me with utils like that is possibility attacker will spoof one of your own IPs. I imagine having the web server block the IP of, say, your database server would be a bad thing. Little proggy like that makes it all too easy. 
|
Is it possible to configure these programs to never block certain IP addresses (such as your administrative IP address?)
|
|
|
03-15-2006, 07:58 AM
|
#13
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Actually yes. SSHblack has a whitelist function and you simply add IP addresses that you never want blocked to that list. I completely spaced about this function in my earlier posts, but it does prevent someone from pulling the stunt Crito pointed out.
|
|
|
04-06-2006, 09:22 PM
|
#14
|
Senior Member
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: Custom Debian Live ISO's
Posts: 1,291
Rep:
|
You may also try the iptables recent module and add some rules to slow down alot of those auto scripts, after a certain amount of connection attemps the ip-address is added to a list for a certain amount of time before being allowed to connect again, this is good if they spoof critical ip-address it won't kill anything. Try some rules like:
iptables -I INPUT -p tcp -i eth0 -m multiport --dport 80,443 -m state --state NEW -m recent --name webprobe --set -j ACCEPT
iptables -I INPUT -p tcp -i eth0 -m multiport --dport 80,443 -m state --state NEW -m recent --name webprobe --update --seconds 60 --hitcount 3 --rttl -j DROP
|
|
|
04-07-2006, 04:56 AM
|
#15
|
Member
Registered: Dec 2005
Distribution: CentOS 5 - Debian 5
Posts: 112
Original Poster
Rep:
|
Thnx....I think someone in the past made a patch similar to this (reported in his blog) and we were supposed to patch the iptables first...Do you mean this module became standard now??? And if so, in which version???
Thnx for the tip, where can I have more info about this??
Last edited by piforever; 04-07-2006 at 01:04 PM.
|
|
|
All times are GMT -5. The time now is 08:52 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|