SEO

Hello,

I just finished a program that I run in cron every 15 minutes to add block
rules to IPF for attacks in syslog. You this at your own risk. It is
licensed under the GPL.

ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips

Please send any feedback or changes to me.

Thanks,

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

On Mon, 5 May 2008, Boyd Lynn Gerber wrote:

> Hello,
>
> I just finished a program that I run in cron every 15 minutes to add block
> rules to IPF for attacks in syslog. You this at your own risk. It is
> licensed under the GPL.
>
> ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
>
> Please send any feedback or changes to me.

Wouldn't it have been easier to modify Fail2Ban?

On Mon, 5 May 2008, Joe Dunning wrote:
> On Mon, 5 May 2008, Boyd Lynn Gerber wrote:
> > I just finished a program that I run in cron every 15 minutes to add block
> > rules to IPF for attacks in syslog. You this at your own risk. It is
> > licensed under the GPL.
> >
> > ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
> >
> > Please send any feedback or changes to me.
>
> Wouldn't it have been easier to modify Fail2Ban?

It may have been. I do use it on other Linux OS's. I seem to remember it
was strickly iptable based, but then I was not really thinking clearly.
All I know is I wanted something fast to do the job. So I did it. I
probably should have looked at it again. OH well, this is done now and
doing what I need.

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

Also the reliance on python. I needed something that was shell based. I
do see that with the latest version of fail2ban that they have gone back
to python 2.3. It was limited to python2.4.

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
| Hello,
|
| I just finished a program that I run in cron every 15 minutes to add block
| rules to IPF for attacks in syslog. You this at your own risk. It is
| licensed under the GPL.
|
| ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
|
| Please send any feedback or changes to me.

Shouldn't you be able to consolidate several of those awk scans of the
syslog into one run of awk?


I make every effort here to unclutter the syslog file; I think it
affords far easier parsing by scripts, let alone by human eyes, to
effect logging into diverse files. To that end, my /etc/syslog.conf
file contains:


# @(#) syslog.conf on jpradley.jpr.com
#
# *.debug;*.info /var/adm/syslog
# above is sole line originally shipped in this file from SCO.

*.info;daemon,local0,local3,local4,local5,local6,l ocal7,mail,news.none\
/var/adm/syslog
daemon.err /var/adm/syslog

## SCO's mqueue compiled to use Facility = mail
## SCO's popper compiled to use Facility = local0
mail,local0.notice /var/adm/maillog

## cpqasm facility=local1 in /etc/cevtdl.conf
local1.info /var/adm/cpqasm.log

## tcp-wrappers I compiled it to use Facility=local3
local3.notice /var/adm/tcplog

## HylaFax Facility=local5 in /usr/local/spool/hylafax/etc/config
local5.* /var/adm/hylafaxlog

## sshd SyslogFacility=local6 in /etc/ssh/sshd_config
local6.* /var/adm/sshdlog

... and more pertaining to my Usenet news feed.

--
JP

On Sat, 10 May 2008, Jean-Pierre Radley wrote:
> Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
> | I just finished a program that I run in cron every 15 minutes to add block
> | rules to IPF for attacks in syslog. You this at your own risk. It is
> | licensed under the GPL.
> |
> | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
> |
> | Please send any feedback or changes to me.
>
> Shouldn't you be able to consolidate several of those awk scans of the
> syslog into one run of awk?

Probably, but I do not remember how to do multiple searches in one set of
awk commands.

> I make every effort here to unclutter the syslog file; I think it
> affords far easier parsing by scripts, let alone by human eyes, to
> effect logging into diverse files. To that end, my /etc/syslog.conf
> file contains:

I usually do the same below, but I wanted to get all failures for ip's
without having to search multiple files. The script get all failures and
attempts to break in, in on my systems. I would have to run the same
search on multiple files if I split them up. I had the below before all
the attacks on my system. It was a lot easier to have the script just
scan one file every 10-15 minutes to do the blocks. Not as good as the 60
second iptables rules but it has been working well.

> # @(#) syslog.conf on jpradley.jpr.com
> #
> # *.debug;*.info /var/adm/syslog
> # above is sole line originally shipped in this file from SCO.
>
> *.info;daemon,local0,local3,local4,local5,local6,l ocal7,mail,news.none\
> /var/adm/syslog
> daemon.err /var/adm/syslog
>
> ## SCO's mqueue compiled to use Facility = mail
> ## SCO's popper compiled to use Facility = local0
> mail,local0.notice /var/adm/maillog
>
> ## cpqasm facility=local1 in /etc/cevtdl.conf
> local1.info /var/adm/cpqasm.log
>
> ## tcp-wrappers I compiled it to use Facility=local3
> local3.notice /var/adm/tcplog
>
> ## HylaFax Facility=local5 in /usr/local/spool/hylafax/etc/config
> local5.* /var/adm/hylafaxlog
>
> ## sshd SyslogFacility=local6 in /etc/ssh/sshd_config
> local6.* /var/adm/sshdlog
>
> ... and more pertaining to my Usenet news feed.

Thanks for the feed back.


--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

Boyd Lynn Gerber typed (on Sat, May 10, 2008 at 04:09:10PM -0600):
| On Sat, 10 May 2008, Jean-Pierre Radley wrote:
| > Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
| > | I just finished a program that I run in cron every 15 minutes to add block
| > | rules to IPF for attacks in syslog. You this at your own risk. It is
| > | licensed under the GPL.
| > |
| > | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
| > |
| > | Please send any feedback or changes to me.
| >
| > Shouldn't you be able to consolidate several of those awk scans of the
| > syslog into one run of awk?
|
| Probably, but I do not remember how to do multiple searches in one set of
| awk commands.

Instead of

for ips in `awk '/Invalid/{print $13}' /usr/adm/syslog |sort|uniq -d`;
do
echo "block in quick from $ips to any group 20000" | ipf -f -
done

for ips in `awk '/failed login/{ print $12}' /usr/adm/syslog |sort|uniq -d`;
do
echo "block in quick from $ips to any group 20000" | ipf -f -
done

you should be able to do

for ips in `awk '
/Invalid/ {print $13}
/failed login/ {print $12}
' /usr/adm/syslog |sort|uniq -d`;
do
echo "block in quick from $ips to any group 20000" | ipf -f -
done

After all, you were driven to write this procedure because you were
logging tons of bad news, and calling awk+sort+uniq+echo to analyze your
pretty large syslog file several times is just a greater burden on your
CPU.


| > I make every effort here to unclutter the syslog file; I think it
| > affords far easier parsing by scripts, let alone by human eyes, to
| > effect logging into diverse files. To that end, my /etc/syslog.conf
| > file contains:
|
| I usually do the same below, but I wanted to get all failures for ip's
| without having to search multiple files. The script get all failures and
| attempts to break in, in on my systems. I would have to run the same
| search on multiple files if I split them up.

Not at all. All I was suggesting is that sshd would write nothing to
the syslog file at all, and everything to /var/adm/syslogd. Awk would
scan one file as you do now, but not syslog, just one that would contain
only sshd messages.

--
JP

On Sat, 10 May 2008, Jean-Pierre Radley wrote:
> Boyd Lynn Gerber typed (on Sat, May 10, 2008 at 04:09:10PM -0600):
> | On Sat, 10 May 2008, Jean-Pierre Radley wrote:
> | > Boyd Lynn Gerber typed (on Mon, May 05, 2008 at 06:09:41PM -0600):
> | > | ftp://ftp.zenez.com/pub/zenez/prgms/...-ipf-block-ips
> | >
> | > Shouldn't you be able to consolidate several of those awk scans of the
> | > syslog into one run of awk?
> |
> | Probably, but I do not remember how to do multiple searches in one set of
> | awk commands.
>
> Instead of
>
> for ips in `awk '/Invalid/{print $13}' /usr/adm/syslog |sort|uniq -d`;
> do
> echo "block in quick from $ips to any group 20000" | ipf -f -
> done
>
> for ips in `awk '/failed login/{ print $12}' /usr/adm/syslog |sort|uniq -d`;
> do
> echo "block in quick from $ips to any group 20000" | ipf -f -
> done
>
> you should be able to do
>
> for ips in `awk '
> /Invalid/ {print $13}
> /failed login/ {print $12}
> ' /usr/adm/syslog |sort|uniq -d`;
> do
> echo "block in quick from $ips to any group 20000" | ipf -f -
> done
>
> After all, you were driven to write this procedure because you were
> logging tons of bad news, and calling awk+sort+uniq+echo to analyze your
> pretty large syslog file several times is just a greater burden on your
> CPU.

I forgot you could do the above. I will make the changes and try it out.
I am sure this will help. I do notice that toward the end of the day it
does take the script 3-5 seconds to run. And the last one of the day once
the syslog is rotated it can takes 20 seconds.

> | > I make every effort here to unclutter the syslog file; I think it
> | > affords far easier parsing by scripts, let alone by human eyes, to
> | > effect logging into diverse files. To that end, my /etc/syslog.conf
> | > file contains:
> |
> | I usually do the same below, but I wanted to get all failures for ip's
> | without having to search multiple files. The script get all failures and
> | attempts to break in, in on my systems. I would have to run the same
> | search on multiple files if I split them up.
>
> Not at all. All I was suggesting is that sshd would write nothing to
> the syslog file at all, and everything to /var/adm/syslogd. Awk would
> scan one file as you do now, but not syslog, just one that would contain
> only sshd messages.

My sshd is writing to syslog. I did a fresh install of OSR 5.0.7, OSR6,
and UnixWare 7.1.4 and noticed in the default install everything was in
syslog. All my other systems have them all in seperate files, so Seeing
that happening, I wrote the script for a default install, and modified my
other systems back. I definitely perfer the many different files but for
now till this drops more I will leave it. Now they seem to only be doing
1/4 - 1/3 of my systems. My Linux and BSD systems only get hit 1-3 times
per week, were as the SCO OS's are hit daily. They are also only doing
about 1/2 my bandwidth now. So things are getting better. Thanks again
for the suggestions. I will make the changes.

Thanks,

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047

I have made the changes, do you think it would be better to move the rules
that work on all systems to the individual OS ones and combine them
futher? Basically I have 3 sets, two with uniq. One uniq -d and one uniq
-c. The other I do not use uniq at all. Latest version is at

ftp://ftp.zenez.com:/pub/zenez/prgms...-ipf-block-ips

Thanks,

--
Boyd Gerber <gerberb@zenez.com>
ZENEZ 1042 East Fort Union #135, Midvale Utah 84047