Re: [Fwbuilder-discussion] adding hostile ip addresses in the policy.fwb file
Brought to you by:
mikehorn
From: <va...@vk...> - 2007-09-01 16:37:44
|
I agree with Lupe, there is no point in collecting these addresses permanently. Temporary blocking rule should be fine. If the same scanner comes again after you rebooted the firewall, its address will be automatically added again. I do it using swatch and a branching rule in the main policy that creates chain "block_ssh_scanners". This rule has "any" in src and dst and service "ssh". Swatch calls simple shell script that adds iptables rule to this chain. Here is my .swatchrc : watchfor /sshd\[\d+\]: Failed password for invalid user (\S+) from (\S +)/ echo bold exec "/root/swatch/block_ssh_scanner.sh $2" watchfor /sshd\[\d+\]: Failed password for (\S+) from (\S+)/ echo bold exec "/root/swatch/block_ssh_scanner.sh $2" watchfor /sshd\[\d+\]: Did not receive identification string from (\S+)/ echo bold exec "/root/swatch/block_ssh_scanner.sh $1" here is the script block_ssh_scanner.sh : #!/bin/sh addr=$1 test -z "$addr" && exit 1 grep $addr /root/swatch/ssh_scan_addresses && exit 0 cmd="iptables -A block_ssh_scanners -s $addr -j DROP" echo "$cmd" >> /root/swatch/ssh_scan_addresses $cmd This is rather simple but it is also "trigger happy" as it blocks addresses on the first unsuccessful log in attempt. --vk On Aug 31, 2007, at 1:58 PM, Fabio Martinelli wrote: > Hi, > > I have retrieved a group of hostile ip addresses ( ssh brutal > attempts ) using Logwatch > so I defined a fwbuilder policy for RedHat4/iptables: this is a > fragment of the .fwb file > > ... > <ObjectGroup id="id46D6EE8A6282" name="Objects"> > <ObjectGroup id="id46D6EE8B6282" name="Addresses"> > <IPv4 address="218.38.55.188" comment="hostile" > id="id46D8674415288" name="218.38.55.188" netmask="255.255.255.255"/> > <IPv4 address="211.180.228.238" comment="hostile" > id="id46D86DFA15288" name="211.180.228.238" > netmask="255.255.255.255"/> > <IPv4 address="74.86.68.186" comment="hostile" > id="id46D86DFB15288" name="74.86.68.186" netmask="255.255.255.255"/> > </ObjectGroup> > ... > > I defined that using the GUI, but I'd like add the other hosts in > an automatic way: > I see the id field, so how this field value is got? > I could surround my hostile ip list with the necessary XML stuff > and terminate the boring, and sure possibly wrong, data entry. > > > list: > 124.225.128.19 > 125.244.116.130 > 125.7.207.197 > 133.68.95.24 > 140.113.208.162 > 140.113.66.204 > 140.125.33.101 > 141.108.248.90 > 147.32.248.98 > 168.187.138.106 > 193.238.18.12 > 195.70.37.79 > 199.203.56.242 > 201.234.113.251 > 201.76.188.242 > 202.113.96.15 > 203.215.88.246 > 203.91.120.141 > 207.236.231.126 > 211.138.145.206 > 211.157.113.206 > 211.180.228.238 > 211.41.40.20 > 212.160.143.210 > 217.150.244.196 > 218.16.224.236 > 218.1.65.233 > 218.38.55.188 > 218.57.8.24 > 219.232.59.181 > 219.235.231.103 > 219.99.180.164 > 220.228.254.42 > 58.66.176.215 > 59.144.174.187 > 60.13.184.4 > 61.146.178.8 > 64.203.136.13 > 64.213.162.116 > 68.100.0.209 > 71.190.166.11 > 74.86.68.186 > 81.196.66.184 > 82.165.28.36 > 83.16.150.166 > 88.191.60.123 > 91.186.11.57 > > many thanks, > Fabio > <fabio.martinelli.vcf> > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |