Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
sending evil IP's to a blackhole
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  

Is this a bad idea?
yes
22%
 22%  [ 6 ]
no
37%
 37%  [ 10 ]
possibly
40%
 40%  [ 11 ]
Total Votes : 27

Author Message
count
Apprentice
Apprentice


Joined: 28 May 2002
Posts: 242
Location: Dalton, MA

PostPosted: Tue Sep 17, 2002 6:56 pm    Post subject: sending evil IP's to a blackhole Reply with quote

I'm running apache on my gentoo box and have been recieving a number of worm like requests involving winnt/system32/cmd.exe? ... and default.ida? .... so I modified my apache configuration to run a script I wrote to log their IP in my "blacklist" and do this:

route -n add -host [BADIP] gw [BOGUS_INTERAL_IP]

So from then on any requests from that IP are lost. drastic measures i guess, but these requests are overtaking my apace_log.

My question is this:
Could this be a performance loss adding them to my route?

Right now Ive got 20 IP's in there since I implemented this about 5 days ago. But since then the rate at which new IP's are added have been dropping.

I also just created a script which I added to my init.d for apache which will reubild the route table from my blacklist if for any reason my server is restarted.

What are your thoughs?
_________________
- Joseph Monti
_________________
This message is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. For more info visit http://joemonti.org/
Back to top
View user's profile Send private message
echeslack
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jul 2002
Posts: 131
Location: NJ, USA

PostPosted: Tue Sep 17, 2002 7:09 pm    Post subject: Reply with quote

I have never personally set up apache, but I thought there was a way to set up access by IP. I would think this would be the most efficient way since nothing ever gets sent (or attempts to get sent), but instead the request is just dropped. But I'm no expert, so maybe you should just wait for somebody else to answer :).

-ewen
Back to top
View user's profile Send private message
rac
Bodhisattva
Bodhisattva


Joined: 30 May 2002
Posts: 6553
Location: Japanifornia

PostPosted: Tue Sep 17, 2002 7:13 pm    Post subject: Reply with quote

echeslack wrote:
I have never personally set up apache, but I thought there was a way to set up access by IP. I would think this would be the most efficient way since nothing ever gets sent (or attempts to get sent), but instead the request is just dropped.

If you're referring to Apache's deny directive, it doesn't drop the request, but rather sends back a 401 Access Denied.

In addition to your route method, you could use tcpwrappers or iptables to block access.
_________________
For every higher wall, there is a taller ladder
Back to top
View user's profile Send private message
count
Apprentice
Apprentice


Joined: 28 May 2002
Posts: 242
Location: Dalton, MA

PostPosted: Tue Sep 17, 2002 7:19 pm    Post subject: Reply with quote

I was using the Deny directiive in apache at first, but i was manually entering the IP's and that got tedious and the list got long ... So I did wat I described above becasue I thought it would be more efficient and would catch them before they even got to apache.
_________________
- Joseph Monti
_________________
This message is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. For more info visit http://joemonti.org/
Back to top
View user's profile Send private message
trapni
Retired Dev
Retired Dev


Joined: 16 May 2002
Posts: 251
Location: Germany/Berlin

PostPosted: Wed Sep 18, 2002 3:28 pm    Post subject: Reply with quote

Before sending'em to blackhole you should check whether they're dynamic IP's or not (dialup connections) if so, I'd recomment you to send a mail to abuse@HisISP.net rather then sending it to blackhole ;)

Cheers,
Christian Parpart.

p.s.: my mail server rejects approximately 140 mails of spam and alike a day, amazing ;)
Back to top
View user's profile Send private message
count
Apprentice
Apprentice


Joined: 28 May 2002
Posts: 242
Location: Dalton, MA

PostPosted: Wed Sep 18, 2002 3:37 pm    Post subject: Reply with quote

I found another solution to my problem that may work a bit better thanks to focus-linux@securityfocus.com

I'm now using iptables and dynfw to deal with the bad requests. It seems to be working well so far.

Thanks!
_________________
- Joseph Monti
_________________
This message is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation. For more info visit http://joemonti.org/
Back to top
View user's profile Send private message
RebelYell
n00b
n00b


Joined: 28 Jun 2002
Posts: 41

PostPosted: Wed Sep 18, 2002 3:46 pm    Post subject: Reply with quote

rac wrote:
echeslack wrote:
I have never personally set up apache, but I thought there was a way to set up access by IP. I would think this would be the most efficient way since nothing ever gets sent (or attempts to get sent), but instead the request is just dropped.

If you're referring to Apache's deny directive, it doesn't drop the request, but rather sends back a 401 Access Denied.

In addition to your route method, you could use tcpwrappers or iptables to block access.


I agree with this... and you could use portsentry and the dynfw package.
This way you'll end up with those bad hosts in your /etc/hosts.deny and iptables rules.
Back to top
View user's profile Send private message
nemo_
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 167
Location: Brussels, Belgium

PostPosted: Thu Sep 19, 2002 12:45 am    Post subject: portsentry Reply with quote

While blocking worm infected IPs using iptables is not a bad idea (hosts from subnets near you tend to keep trying again and again it seems), I dont like portsentry much because if someone finds out you're running it - that's not too difficult when you have several IPs handy - they can flood you with spoofed packets originating from everywhere and turn your firewall into a real wall.
Back to top
View user's profile Send private message
RebelYell
n00b
n00b


Joined: 28 Jun 2002
Posts: 41

PostPosted: Thu Sep 19, 2002 8:34 am    Post subject: Re: portsentry Reply with quote

nemo_ wrote:
While blocking worm infected IPs using iptables is not a bad idea (hosts from subnets near you tend to keep trying again and again it seems), I dont like portsentry much because if someone finds out you're running it - that's not too difficult when you have several IPs handy - they can flood you with spoofed packets originating from everywhere and turn your firewall into a real wall.


Available just in case your box will be accepting spoofed packets... besides, you can configure portsentry to ignore several hosts/subnets or to "flush" the banned subnets/hosts at the interval you specify.
Back to top
View user's profile Send private message
panserg
Apprentice
Apprentice


Joined: 16 Apr 2003
Posts: 188

PostPosted: Wed May 28, 2003 3:13 pm    Post subject: Reply with quote

It's been awhile since subject was up. What's changed since that time? Are there any tools in Portage to help against such "worm seekers"?

I run several Apache, Tomcat and Zope servers and I was surprised to see that even non-80 ports are flooded. As for standard 80, there is more bad records in log files than good ones. On big servers it's not an issue, but on small servers with a slow connection it becomes a performance and volume issue.

For fast servers I am looking for the script that would :


    1. scan the log files on the regular (let's say weekly) basis;
    2. summarize the flood records by providers;
    3. send the message to each abuse@ISP.net;
    4. clean the records up in order to back it up (to the tape archive or something) without any garbage;


Is there anything in Portage that can help?

Also, for small server, is there anything I can do in iptables to check the URL and to drop it if it's bad and to do it faster (or with less CPU utilization) than Apache would do it by itself?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum