I have been running snort for a while now. Installed mitel-trevor-guardian tonight because of a persistent attack (all possible user name + hundreds of attempts at root and admin - I have ssh open for sftp...). In less than 10 minutes, 69.9.12.50 is blocked, and I realise it is contribs-org when doing a reverse dns on this address.
>From the logs:
Guardian process id 5319
Mon Sep 20 23:12:35 2004: 69.9.12.50 [1:1201:7] ATTACK-RESPONSES 403 Forbidden
Running '/bin/guardian_block.sh 69.9.12.50 eth1'
And I get an email:
The Snort-Guardian service has updated your firewall rules by blocking thefollowing IP address: 69.9.12.50.
This IP address will be blocked for 24 hours unless the server is rebooted.
For detailed information: /var/log/guardian.log
/var/log/snort/alert
This alert is only generated when accessing Contribs.org from a redhat Ent3 box - I can track these errors since installing snort 4 months ago. I also found out that it happens only with Mozilla, no alert if I use Konqueror. Finally, there are no alerts if I access the site from a windows box, using IExplorer or the new Firefox (=Mozilla).
The problem appears to be confined to Contribs.org, I have tested a few sites known to run on SME, no alert....
Many thanks for assistance.
chris
0 Replies
2761 Views