Thread: Security using ipf to block IP's run in cron
View Single Post

   
  #7 (permalink)  
Old 05-11-2008, 08:40 PM
Jean-Pierre Radley
 
Posts: n/a
Default Re: Security using ipf to block IP's run in cron
Boyd Lynn Gerber typed (on Sat, May 10, 2008 at 04:09:10PM -0600):
| On Sat, 10 May 2008, Jean-Pierre Radley wrote:
| > Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
| > | I just finished a program that I run in cron every 15 minutes to add block
| > | rules to IPF for attacks in syslog. You this at your own risk. It is
| > | licensed under the GPL.
| > |
| > | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
| > |
| > | Please send any feedback or changes to me.
| >
| > Shouldn't you be able to consolidate several of those awk scans of the
| > syslog into one run of awk?
|
| Probably, but I do not remember how to do multiple searches in one set of
| awk commands.

Instead of

for ips in `awk '/Invalid/{print $13}' /usr/adm/syslog |sort|uniq -d`;
do
echo "block in quick from $ips to any group 20000" | ipf -f -
done

for ips in `awk '/failed login/{ print $12}' /usr/adm/syslog |sort|uniq -d`;
do
echo "block in quick from $ips to any group 20000" | ipf -f -
done

you should be able to do

for ips in `awk '
/Invalid/ {print $13}
/failed login/ {print $12}
' /usr/adm/syslog |sort|uniq -d`;
do
echo "block in quick from $ips to any group 20000" | ipf -f -
done

After all, you were driven to write this procedure because you were
logging tons of bad news, and calling awk+sort+uniq+echo to analyze your
pretty large syslog file several times is just a greater burden on your
CPU.


| > I make every effort here to unclutter the syslog file; I think it
| > affords far easier parsing by scripts, let alone by human eyes, to
| > effect logging into diverse files. To that end, my /etc/syslog.conf
| > file contains:
|
| I usually do the same below, but I wanted to get all failures for ip's
| without having to search multiple files. The script get all failures and
| attempts to break in, in on my systems. I would have to run the same
| search on multiple files if I split them up.

Not at all. All I was suggesting is that sshd would write nothing to
the syslog file at all, and everything to /var/adm/syslogd. Awk would
scan one file as you do now, but not syslog, just one that would contain
only sshd messages.

--
JP
Reply With Quote