Thread: Security using ipf to block IP's run in cron
View Single Post

   
  #8 (permalink)  
Old 05-11-2008, 08:40 PM
Boyd Lynn Gerber
 
Posts: n/a
Default Re: Security using ipf to block IP's run in cron
On Sat, 10 May 2008, Jean-Pierre Radley wrote:
> Boyd Lynn Gerber typed (on Sat, May 10, 2008 at 04:09:10PM -0600):
> | On Sat, 10 May 2008, Jean-Pierre Radley wrote:
> | > Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
> | > | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
> | >
> | > Shouldn't you be able to consolidate several of those awk scans of the
> | > syslog into one run of awk?
> |
> | Probably, but I do not remember how to do multiple searches in one set of
> | awk commands.
>
> Instead of
>
> for ips in `awk '/Invalid/{print $13}' /usr/adm/syslog |sort|uniq -d`;
> do
> echo "block in quick from $ips to any group 20000" | ipf -f -
> done
>
> for ips in `awk '/failed login/{ print $12}' /usr/adm/syslog |sort|uniq -d`;
> do
> echo "block in quick from $ips to any group 20000" | ipf -f -
> done
>
> you should be able to do
>
> for ips in `awk '
> /Invalid/ {print $13}
> /failed login/ {print $12}
> ' /usr/adm/syslog |sort|uniq -d`;
> do
> echo "block in quick from $ips to any group 20000" | ipf -f -
> done
>
> After all, you were driven to write this procedure because you were
> logging tons of bad news, and calling awk+sort+uniq+echo to analyze your
> pretty large syslog file several times is just a greater burden on your
> CPU.

I forgot you could do the above. I will make the changes and try it out.
I am sure this will help. I do notice that toward the end of the day it
does take the script 3-5 seconds to run. And the last one of the day once
the syslog is rotated it can takes 20 seconds.

> | > I make every effort here to unclutter the syslog file; I think it
> | > affords far easier parsing by scripts, let alone by human eyes, to
> | > effect logging into diverse files. To that end, my /etc/syslog.conf
> | > file contains:
> |
> | I usually do the same below, but I wanted to get all failures for ip's
> | without having to search multiple files. The script get all failures and
> | attempts to break in, in on my systems. I would have to run the same
> | search on multiple files if I split them up.
>
> Not at all. All I was suggesting is that sshd would write nothing to
> the syslog file at all, and everything to /var/adm/syslogd. Awk would
> scan one file as you do now, but not syslog, just one that would contain
> only sshd messages.

My sshd is writing to syslog. I did a fresh install of OSR 5.0.7, OSR6,
and UnixWare 7.1.4 and noticed in the default install everything was in
syslog. All my other systems have them all in seperate files, so Seeing
that happening, I wrote the script for a default install, and modified my
other systems back. I definitely perfer the many different files but for
now till this drops more I will leave it. Now they seem to only be doing
1/4 - 1/3 of my systems. My Linux and BSD systems only get hit 1-3 times
per week, were as the SCO OS's are hit daily. They are also only doing
about 1/2 my bandwidth now. So things are getting better. Thanks again
for the suggestions. I will make the changes.

Thanks,

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047
Reply With Quote