Security using ipf to block IP's run in cron - SCO

This is a discussion on Security using ipf to block IP's run in cron - SCO ; Hello, I just finished a program that I run in cron every 15 minutes to add block rules to IPF for attacks in syslog. You this at your own risk. It is licensed under the GPL. ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips Please send any ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Security using ipf to block IP's run in cron

  1. Security using ipf to block IP's run in cron

    Hello,

    I just finished a program that I run in cron every 15 minutes to add block
    rules to IPF for attacks in syslog. You this at your own risk. It is
    licensed under the GPL.

    ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips

    Please send any feedback or changes to me.

    Thanks,

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  2. Re: Security using ipf to block IP's run in cron



    On Mon, 5 May 2008, Boyd Lynn Gerber wrote:

    > Hello,
    >
    > I just finished a program that I run in cron every 15 minutes to add block
    > rules to IPF for attacks in syslog. You this at your own risk. It is
    > licensed under the GPL.
    >
    > ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
    >
    > Please send any feedback or changes to me.


    Wouldn't it have been easier to modify Fail2Ban?


  3. Re: Security using ipf to block IP's run in cron

    On Mon, 5 May 2008, Joe Dunning wrote:
    > On Mon, 5 May 2008, Boyd Lynn Gerber wrote:
    > > I just finished a program that I run in cron every 15 minutes to add block
    > > rules to IPF for attacks in syslog. You this at your own risk. It is
    > > licensed under the GPL.
    > >
    > > ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
    > >
    > > Please send any feedback or changes to me.

    >
    > Wouldn't it have been easier to modify Fail2Ban?


    It may have been. I do use it on other Linux OS's. I seem to remember it
    was strickly iptable based, but then I was not really thinking clearly.
    All I know is I wanted something fast to do the job. So I did it. I
    probably should have looked at it again. OH well, this is done now and
    doing what I need.

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  4. Re: Security using ipf to block IP's run in cron

    Also the reliance on python. I needed something that was shell based. I
    do see that with the latest version of fail2ban that they have gone back
    to python 2.3. It was limited to python2.4.

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  5. Re: Security using ipf to block IP's run in cron

    Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
    | Hello,
    |
    | I just finished a program that I run in cron every 15 minutes to add block
    | rules to IPF for attacks in syslog. You this at your own risk. It is
    | licensed under the GPL.
    |
    | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
    |
    | Please send any feedback or changes to me.

    Shouldn't you be able to consolidate several of those awk scans of the
    syslog into one run of awk?


    I make every effort here to unclutter the syslog file; I think it
    affords far easier parsing by scripts, let alone by human eyes, to
    effect logging into diverse files. To that end, my /etc/syslog.conf
    file contains:


    # @(#) syslog.conf on jpradley.jpr.com
    #
    # *.debug;*.info /var/adm/syslog
    # above is sole line originally shipped in this file from SCO.

    *.info;daemon,local0,local3,local4,local5,local6,l ocal7,mail,news.none\
    /var/adm/syslog
    daemon.err /var/adm/syslog

    ## SCO's mqueue compiled to use Facility = mail
    ## SCO's popper compiled to use Facility = local0
    mail,local0.notice /var/adm/maillog

    ## cpqasm facility=local1 in /etc/cevtdl.conf
    local1.info /var/adm/cpqasm.log

    ## tcp-wrappers I compiled it to use Facility=local3
    local3.notice /var/adm/tcplog

    ## HylaFax Facility=local5 in /usr/local/spool/hylafax/etc/config
    local5.* /var/adm/hylafaxlog

    ## sshd SyslogFacility=local6 in /etc/ssh/sshd_config
    local6.* /var/adm/sshdlog

    ... and more pertaining to my Usenet news feed.

    --
    JP

  6. Re: Security using ipf to block IP's run in cron

    On Sat, 10 May 2008, Jean-Pierre Radley wrote:
    > Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
    > | I just finished a program that I run in cron every 15 minutes to add block
    > | rules to IPF for attacks in syslog. You this at your own risk. It is
    > | licensed under the GPL.
    > |
    > | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
    > |
    > | Please send any feedback or changes to me.
    >
    > Shouldn't you be able to consolidate several of those awk scans of the
    > syslog into one run of awk?


    Probably, but I do not remember how to do multiple searches in one set of
    awk commands.

    > I make every effort here to unclutter the syslog file; I think it
    > affords far easier parsing by scripts, let alone by human eyes, to
    > effect logging into diverse files. To that end, my /etc/syslog.conf
    > file contains:


    I usually do the same below, but I wanted to get all failures for ip's
    without having to search multiple files. The script get all failures and
    attempts to break in, in on my systems. I would have to run the same
    search on multiple files if I split them up. I had the below before all
    the attacks on my system. It was a lot easier to have the script just
    scan one file every 10-15 minutes to do the blocks. Not as good as the 60
    second iptables rules but it has been working well.

    > # @(#) syslog.conf on jpradley.jpr.com
    > #
    > # *.debug;*.info /var/adm/syslog
    > # above is sole line originally shipped in this file from SCO.
    >
    > *.info;daemon,local0,local3,local4,local5,local6,l ocal7,mail,news.none\
    > /var/adm/syslog
    > daemon.err /var/adm/syslog
    >
    > ## SCO's mqueue compiled to use Facility = mail
    > ## SCO's popper compiled to use Facility = local0
    > mail,local0.notice /var/adm/maillog
    >
    > ## cpqasm facility=local1 in /etc/cevtdl.conf
    > local1.info /var/adm/cpqasm.log
    >
    > ## tcp-wrappers I compiled it to use Facility=local3
    > local3.notice /var/adm/tcplog
    >
    > ## HylaFax Facility=local5 in /usr/local/spool/hylafax/etc/config
    > local5.* /var/adm/hylafaxlog
    >
    > ## sshd SyslogFacility=local6 in /etc/ssh/sshd_config
    > local6.* /var/adm/sshdlog
    >
    > ... and more pertaining to my Usenet news feed.


    Thanks for the feed back.


    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  7. Re: Security using ipf to block IP's run in cron

    Boyd Lynn Gerber typed (on Sat, May 10, 2008 at 04:09:10PM -0600):
    | On Sat, 10 May 2008, Jean-Pierre Radley wrote:
    | > Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
    | > | I just finished a program that I run in cron every 15 minutes to add block
    | > | rules to IPF for attacks in syslog. You this at your own risk. It is
    | > | licensed under the GPL.
    | > |
    | > | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
    | > |
    | > | Please send any feedback or changes to me.
    | >
    | > Shouldn't you be able to consolidate several of those awk scans of the
    | > syslog into one run of awk?
    |
    | Probably, but I do not remember how to do multiple searches in one set of
    | awk commands.

    Instead of

    for ips in `awk '/Invalid/{print $13}' /usr/adm/syslog |sort|uniq -d`;
    do
    echo "block in quick from $ips to any group 20000" | ipf -f -
    done

    for ips in `awk '/failed login/{ print $12}' /usr/adm/syslog |sort|uniq -d`;
    do
    echo "block in quick from $ips to any group 20000" | ipf -f -
    done

    you should be able to do

    for ips in `awk '
    /Invalid/ {print $13}
    /failed login/ {print $12}
    ' /usr/adm/syslog |sort|uniq -d`;
    do
    echo "block in quick from $ips to any group 20000" | ipf -f -
    done

    After all, you were driven to write this procedure because you were
    logging tons of bad news, and calling awk+sort+uniq+echo to analyze your
    pretty large syslog file several times is just a greater burden on your
    CPU.


    | > I make every effort here to unclutter the syslog file; I think it
    | > affords far easier parsing by scripts, let alone by human eyes, to
    | > effect logging into diverse files. To that end, my /etc/syslog.conf
    | > file contains:
    |
    | I usually do the same below, but I wanted to get all failures for ip's
    | without having to search multiple files. The script get all failures and
    | attempts to break in, in on my systems. I would have to run the same
    | search on multiple files if I split them up.

    Not at all. All I was suggesting is that sshd would write nothing to
    the syslog file at all, and everything to /var/adm/syslogd. Awk would
    scan one file as you do now, but not syslog, just one that would contain
    only sshd messages.

    --
    JP

  8. Re: Security using ipf to block IP's run in cron

    On Sat, 10 May 2008, Jean-Pierre Radley wrote:
    > Boyd Lynn Gerber typed (on Sat, May 10, 2008 at 04:09:10PM -0600):
    > | On Sat, 10 May 2008, Jean-Pierre Radley wrote:
    > | > Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
    > | > | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
    > | >
    > | > Shouldn't you be able to consolidate several of those awk scans of the
    > | > syslog into one run of awk?
    > |
    > | Probably, but I do not remember how to do multiple searches in one set of
    > | awk commands.
    >
    > Instead of
    >
    > for ips in `awk '/Invalid/{print $13}' /usr/adm/syslog |sort|uniq -d`;
    > do
    > echo "block in quick from $ips to any group 20000" | ipf -f -
    > done
    >
    > for ips in `awk '/failed login/{ print $12}' /usr/adm/syslog |sort|uniq -d`;
    > do
    > echo "block in quick from $ips to any group 20000" | ipf -f -
    > done
    >
    > you should be able to do
    >
    > for ips in `awk '
    > /Invalid/ {print $13}
    > /failed login/ {print $12}
    > ' /usr/adm/syslog |sort|uniq -d`;
    > do
    > echo "block in quick from $ips to any group 20000" | ipf -f -
    > done
    >
    > After all, you were driven to write this procedure because you were
    > logging tons of bad news, and calling awk+sort+uniq+echo to analyze your
    > pretty large syslog file several times is just a greater burden on your
    > CPU.


    I forgot you could do the above. I will make the changes and try it out.
    I am sure this will help. I do notice that toward the end of the day it
    does take the script 3-5 seconds to run. And the last one of the day once
    the syslog is rotated it can takes 20 seconds.

    > | > I make every effort here to unclutter the syslog file; I think it
    > | > affords far easier parsing by scripts, let alone by human eyes, to
    > | > effect logging into diverse files. To that end, my /etc/syslog.conf
    > | > file contains:
    > |
    > | I usually do the same below, but I wanted to get all failures for ip's
    > | without having to search multiple files. The script get all failures and
    > | attempts to break in, in on my systems. I would have to run the same
    > | search on multiple files if I split them up.
    >
    > Not at all. All I was suggesting is that sshd would write nothing to
    > the syslog file at all, and everything to /var/adm/syslogd. Awk would
    > scan one file as you do now, but not syslog, just one that would contain
    > only sshd messages.


    My sshd is writing to syslog. I did a fresh install of OSR 5.0.7, OSR6,
    and UnixWare 7.1.4 and noticed in the default install everything was in
    syslog. All my other systems have them all in seperate files, so Seeing
    that happening, I wrote the script for a default install, and modified my
    other systems back. I definitely perfer the many different files but for
    now till this drops more I will leave it. Now they seem to only be doing
    1/4 - 1/3 of my systems. My Linux and BSD systems only get hit 1-3 times
    per week, were as the SCO OS's are hit daily. They are also only doing
    about 1/2 my bandwidth now. So things are getting better. Thanks again
    for the suggestions. I will make the changes.

    Thanks,

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

  9. Re: Security using ipf to block IP's run in cron

    I have made the changes, do you think it would be better to move the rules
    that work on all systems to the individual OS ones and combine them
    futher? Basically I have 3 sets, two with uniq. One uniq -d and one uniq
    -c. The other I do not use uniq at all. Latest version is at

    ftp://ftp.zenez.com:/pub/zenez/prgms...-ipf-block-ips

    Thanks,

    --
    Boyd Gerber
    ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

+ Reply to Thread