Peter Beckman wrote:
My initial attempt was using sshguard to block web scans:
tail -n0 -F httpd.log | sed -n -E 's/^(.+?) .+ 404 .+$/\1 404 access denied/p' | sshguard -a 100 -s 60 -p 1200
But there are too many pipes involved. socat is my next attempt.
I made a butchery for my own servers. Needs a little tweaking as * systems differ. Be advised, thresholds are different so if you're in a provider (mini Vonage) environment, if you don't modify this, you will find your customer support department answering calls on valid connections which were blocked. http://www.infiltrated.net/asterisk-ips.html I thought about re-writing it using a db, but because of DHCP, clients' mobility, would be a tough call. An optimal way to do something like this would be: W=Account_Name X=Amount_of_Connection_Attempts Y=Time Z=Block If [ $X >= 100 ] && [ $W >= 30 ] && [ $Y = 60 ] then iptables something fi Where, is someone attempts to connect say 100 times from 30 different accounts in under 60 seconds, block em. I thought about this and how I can streamline it, but if you're in the managed PBX environment, a hosted customer can have multiple registrations especially if say their connection flaked. Imagine a hosted customer going down, coming back up and getting caught in the error logs. The script if done incorrectly would auto-block them. If they're in a different timezone where no one can flush out the rules, they'd have to wait to get reconnected. I shot off a message to Mark Spencer at Digium (he's the Mark referenced in the document) about this and other stuff and we spoke briefly, but 1) Mark is always busy, I was doing this on my own accord for my own systems, so the incentive to make it an all out project was beyond my scope. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E