[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Anon FTP pesks [SCANNED]
- Subject: Re: [cobalt-users] Anon FTP pesks [SCANNED]
- From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue Mar 23 15:52:02 2004
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
Subject: Re: [cobalt-users] Anon FTP pesks [SCANNED]
> On 3/23/04 1:25 PM, "PageKeeper Service" wrote:
>
> > Still working on it. I have little time to finish it these days. But it
> > seems to help so far while testing.
> > Usually the same ip tries other ways to cause havoc so we drop the
packet.
> > http://www.pagekeeperservice.com/sysinfo/blocked.pl?cobalt-users
>
> David
>
> Let me as well as the group know if you get something going. Looks
> interesting :) So you have something in place that sees the abuser trying
> multiple IP's? :)
Not really, just using the hosts files. if its 1 or 1 million its the same
effect... cr@p connection.
This makes the kiddie change ip's before trying again. you'd hope sooner or
later they run out of
ip's...
> --
> Thanks!!
> David Thurman
> List Only at Web Presence Group Net
Logcheck is needed since i use the logtail/files [stuff] it uses.
Here are examples of a pr*ck with ears at work putting a sh*t stain in the
various logs:
Mar 22 19:23:55 www in.proftpd[23393]: refused connect from 211.157.101.25
Mar 22 19:23:55 www in.proftpd[23394]: refused connect from 211.157.101.25
Mar 22 19:23:55 www in.proftpd[23395]: refused connect from 211.157.101.25
Mar 22 19:23:55 www in.proftpd[23397]: refused connect from 211.157.101.25
Mar 22 19:23:55 www in.proftpd[23405]: refused connect from 211.157.101.25
Mar 22 19:23:55 www in.proftpd[23403]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23401]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23399]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23396]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23402]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23400]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23398]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23404]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23406]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23407]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23408]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23412]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23410]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23411]: refused connect from 211.157.101.25
Mar 22 19:23:56 www in.proftpd[23409]: refused connect from 211.157.101.25
Mar 22 19:18:53 www sendmail[23183]: i2N1Ir723183: ruleset=check_mail,
arg1=<conniecoffeyxs@xxxxxxxxxxxxxxxxx>, relay=[207.72.130.138], reject=550
5.0.0 <conniecoffeyxs@xxxxxxxxxxxxxxxxx>... Mail rejected due to possible
SPAM
Mar 22 19:19:04 www sendmail[23184]: i2N1J3723184: ruleset=check_relay,
arg1=c-24-6-178-182.client.comcast.net, arg2=24.6.178.182,
relay=c-24-6-178-182.client.comcast.net [24.6.178.182], reject=550 5.0.0
Mail rejected due to possible SPAM
Mar 23 13:03:38 www sendmail[21506]: i2NJ3b521506: POSSIBLE ATTACK from
12-223-158-134.client.insightbb.com: newline in string "ewlgpzhncm^M "
the bluevein in the forehead sendmail results when the packet gets
dropped... d-oh!
Mar 23 16:48:25 www sendmail[2450]: i2NMmJQ02450: SYSERR: putoutmsg
(pa167.dobrodzien.sdi.tpnet.pl): error on output channel sending "550 5.0.0
Mail rejected due to possible SPAM": Broken pipe
if the host.allow/host.deny/logcheck trifecta is setup right it refuses the
connection and produces
a skid mark like the above in your logs/logcheck stuff. ssh and sendmail,
control ^m's too...
the program then will see "refused connect from" or "Mail rejected due to
possible SPAM"
"no such user" or whatever turns you on, is flagged from some other programs
or tools...
some ip address or host it then quietly drops 'em in ipchains forever or
till a reboot, or a
pre-configured time then removes it or reloads 'em if rebooted.
Currently testing using a 7 day cycle of ip addresses. It then can list 'em
via web or send them
to root after resolving the offending host if it can. It also provides a
command line interface
to add or remove them quickly when needed.
Command line Examples:
perl /root/lcp/lcp.pl add-ip 24.5.180.148
perl /root/lcp/lcp.pl del-ip 3.149.233.110
[root lcp]# ./lcp.pl
Command line argument values for program [./lcp.pl argv0 argv1]:
query- Looks for perl, logcheck, logtail, ipchains, route and reports
where.
routes Show Kernel IP routing table.
chains Show ipchains.
ls-bak List backup directory files.
ls-ign List Ignore File.
add-ip ip.nu.mb.er Add a input IP address to Block.
del-ip ip.nu.mb.er Delete a input IP address that this Blocked.
add-ig ip.nu.mb.er Add a input IP address to the Ignore list.
del-ig ip.nu.mb.er Delete a input IP address from the Ignore list.
re-bak m-d-y-h-m Input a existing blocked backup file date to load.
USE ONLY if routes or ipchains have been unloaded.
sv-tmp Save current data. Restore from this temp later.
unload Unload all.
Watch auto_prune configuration setting if unloaded
for a long time. Also use the on_off_s_w if needed.
rl-tmp Restore the saved temp.
-load- Load the current list.
USE ONLY if routes or ipchains have been unloaded.
run-cc Runs Program via Cron or Command Line.
LogCheckPlus 1.03.01.04
PageKeeper Service
© Copyright 1999-2004. All Rights Reserved.
http://www.pagekeeperserivce.com
Dropping in a isp in the raq4 e mail gui will flag
any e mail addy's or whole isp's even countrys, then the program drops 'em
into ipchains or route.
The problem is, it takes a while to lookup a address in h-e-l-l. But that
could be swiched off in configs.
Out o' time..
David Hahn
PageKeeper Service
http://www.pagekeeperservice.com