Koozali.org: home of the SME Server
Obsolete Releases => SME 7.x Contribs => Topic started by: linuxhelp on March 20, 2009, 05:04:47 AM
-
Hello@All
since i setup my server i have a idea has anyone made a skript
which hourly cut out IP-addresses of IPs which made 404 Errors of httpd-error_LOG and
add it to the Firewallrule by a second cron-skript?
The firewall works good,blocking bad IPs , but need handed update.
http://wiki.contribs.org/Firewall
-
Hello@All
since i setup my server i have a idea has anyone made a skript
which hourly cut out IP-addresses of IPs which made 404 Errors of httpd-error_LOG and
add it to the Firewallrule by a second cron-skript?
The firewall works good,blocking bad IPs , but need handed update.
http://wiki.contribs.org/Firewall
linuxhelp----
Don't fully understand your question or quite what you
wish to achieve. Blocking IPs of GETs that result in 404
flags is not particularly wise or robust. There are many
instances of such instances being benign including those
from search engines running tests (Google/Yahoo).
In addition to the untested 404 entries clause the
appended code expands the scope of the stealthy stuff...
http://wiki.contribs.org/Firewall#Block_incoming_IP_address
The countries catcher clause relates to log entries from...
http://wiki.contribs.org/GeoIP
...and (probably) due to the Conficker/Downadup worm
the catch from the usual suspects is significantly higher.
The early talker clause relates to log entries from...
http://wiki.contribs.org/Qpsmtpd_check_earlytalker
...I haven't observed any bad stuff that has more patience
than exactly 60sec so my site's entry is usually 75sec.
Locking out the countries and earlytalker catch reduces
the bandwidth load and congestion risk arising from the
daily repeated dose of phishing spam ad infinitum. On a
personal basis I regard the first arrival of this kind of spam
as enough warning intelligence to have the spawning IP
immediately blocked. It is up to individual sites to decide
what to do when the logs rotate. On the one hand you
could decide to effectively wipe the slate clean by doing
nothing or to reuse the existing intelligence by inserting
the old log's filename into the script to generate an
appropriate legacy template eg 40DenySPAM2009-03-19.
I am not a programmer but what I have generated does
appear to work properly here (SME Server 7.4) - YMMV.
----best wishes, Robert
#!/bin/bash
# /home/e-smith/files/users/admin/home/masq/spammers.sh
# MANUALLY INVOKED WITH: sh /home/e-smith/files/users/admin/home/masq/spammers.sh
# parse qpsmtpd/current log for the IPs of specifically blocked countries
# geoip entries # template: 40DenyCountrySPAM
# CHECKED WITH: nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyCountrySPAM
cat /var/log/qpsmtpd/current | grep "check_badcountries" | awk -F"[\`\t]" '/logging::logterse plugin:/ {print $1="/sbin/iptables -A INPUT -s", $2 "/32 -j DROP # geoip", $5}' | sort | uniq > /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyCountrySPAM
# parse qpsmtpd/current log for the IPs of early talkers
# early_talker entries # template: 40DenyEARLY
# CHECKED WITH: nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyEARLY
cat /var/log/qpsmtpd/current | grep "check_earlytalker" | awk -F"[\`\t]" '/logging::logterse plugin:/ {print $1="/sbin/iptables -A INPUT -s", $2 "/32 -j DROP # early", $5}' | sort | uniq > /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyEARLY
# parse httpd/error_log for the IPs requesting non-existent files
# WARNING: likely to suffer unintended results
# WARNING: locks out of search engines that run test routines (Googlebot/Slurp)
# WARNING: locks out benign instances of accidental mistyping
# WARNING: locks out legacy site links that might have been long forgotten
# therefore this particular stuff is supplied commented out, remove ### to run # YMMV
# error entries # template: 40DenyERRORS
# CHECKED WITH: nano -w /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyERRORS
###cat /var/log/httpd/error_log | grep "File does not exist" | awk -F"] " '{print "/sbin/iptables -A INPUT -s", $3"/32 -j DROP # noexist"}' | sort | uniq > /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyERRORS
###sed -i 's/ \[client / /' /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40DenyERRORS
# expand all masquerading templates
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
# restart masquerading
/etc/init.d/masq restart