Security Incidents mailing list archives
Re: code red attacks and real-time blackhole'ng
From: "Sean Hunter" <sean () uncarved com>
Date: Fri, 14 Sep 2001 08:23:26 +0100
On Sat, Sep 08, 2001 at 01:46:56AM +0200, Florian Piekert wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hi, some time ago I asked if somebody had any idea how to real-time blackhole ip-adresses to port 80 with ipchains who try to set off the code red virus variants. my idea was as follows: #!/bin/bash tail -f /var/log/messages | grep -i "codered" | grep -iv proxy | awk '{print $11}' | awk -F : '{print $1}'| ipchains -A input -s i `awk '{print $1}'`/255.255.255.255 -d 0/0 80 -i eth1 -j DENY --protocol tcp Several problems now occur (for some of you probably trivialities): 1) the above port 80 blocking makes sense if tcp and udp are blocked or is tcp sufficient?
You should deny by default. Although http is only over tcp, I would hope that you would blanket-ban anyone from connecting to you on 80/udp since there isn't a well-known service for that port.
2) when I do a tail -n 1000 instead of the tail -f it ipchains bitches because he gets 1000 (not that many ofcourse) ip adresses at once but only wants _1_ argument, not a list.
I think you want to learn a bit more shell. What might help is this sort of construct: CODERED_IPS=`a_commandline_pipe_that_gives_me_a_list_of_ips` for addr in $CODERED_IPS; do echo "Blocking $addr" ipchains -A input -s $addr -d 0/0 80 -i eth1 -j DENY --protocol tcp done There are other ways to achieve this same type of loop in bash, but this idea is very useful. You may also want to consider "sort -n | uniq" at the end of your pipe, to make sure you avoid duplicates". Finally, instead of putting those in your INPUT chain, consider adding a "codered blocking" chain thussly: ipchains -n block_codered ... ipchains -A input -j block_codered -d 0/0 80 -i eth1 for addr in $CODERED_IPS; do echo "Blocking $addr" ipchains -A block_codered -s $addr -j DENY --protocol tcp done Now, the cool thing about this approach is that you can easily add blocking IPs to the end of your codered chain without affecting rules in the main table. This means you don't have to reload your firewall rules every time you lart someone. You also may get a performance benefit because you aren't matching each packet against the protocol and destination address/port mask once they're in the blocking chain, only the source address.
3) when I do a tail -f nothing happens at all, without the ipchains command no output is generated at all even if new entries in /var/log/messages appear, but if I tail -n 1000 /var/log/messages and use the above pipes, I get a neat list of IP addresses...
You could do "tail -1000f /var/log/messages" and get the best of both worlds. Seriously, I think you should read the manpages and figure this one out for yourself. Good luck! Sean Hunter P.S. I apologise if the ipchains syntax is wrong, but all my firewalls use iptables so I'm a bit more familiar with that.
Attachment:
_bin
Description:
Current thread:
- Recent Increase in Port 139 Activity John Campbell (Sep 07)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: code red attacks and real-time blackhole'ng red0x (Sep 08)
- Re: code red attacks and real-time blackhole'ng Sean Hunter (Sep 14)
- Re: Recent Increase in Port 139 Activity maggie (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: Recent Increase in Port 139 Activity H C (Sep 09)
- <Possible follow-ups>
- RE: Recent Increase in Port 139 Activity Frank Knobbe (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 10)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)