[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Code Red
- Subject: Re: [cobalt-users] Code Red
- From: Greg Hewitt-Long <greg@xxxxxxxxxxxxxxxxxxx>
- Date: Thu Aug 9 09:45:04 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>Off the top of my head, something like this should work:
[SHUDDER]
>
>tail -f /home/log/httpd/access | grep "\.ida" | ipchains -A input --source
>`sed...` -j DENY -l
I don't know about the IPchains syntax - it all looks a little dubious with the sed command - you would be better off extracting the IP using a cut -d\ -f2 first (note the two spaces).
I suggest replacing the grep "\.ida" with:
grep 'default.ida'
as any slip with the escaping on the period, and you have anyone with "?ida" in the logfile entry being blocked - eg:
http://www.blahdomain.com/myideas.html would match the .ide pattern matching within double quotes.
Use single quotes and explicit patterns where-ever possible - double quotes and patterns are often a little TOO loose when it comes to performing removes, or blocks.
So - my stab at the script to get the IPs and IPchain them would be something like:
#!/bin/sh
grep 'default.ida' /home/log/httpd/access | cut -d\ -f2 | sort -u | while read IP_ADDRESS
do
echo "IPChain adding $IP_ADDRESS"
IP_CHAIN COMMAND HERE USING $IP_ADDRESS AS THE IP
done
If you're going to run it as root - you might also go through all the old logfile in your customers sites:
grep 'default.ida' /home/sites/site*/logs/web.log | cut -d\ -f1 | sort -u | while read IP_ADDRESS
do
echo "IPChain adding $IP_ADDRESS"
IP_CHAIN COMMAND HERE USING $IP_ADDRESS AS THE IP
done
### NOTE ###
1. the cut command: cut -d\ -fblah - has TWO SPACES after backslash - ie, it's a space escaped - and I do this explicitly to remove doubt on the setting for IFS (Internal Field Separator).
2. The logs in the logs folders have the IP address first on our RAQ3's - yours may differ - so this command was altered to take the first field (cut -f1).
3. for efficiency - don't remove the sort -u - it will prevent any duplication of the IPchains command
4. if you can use the IP address as the last argument - you can replace the while ... do... done loop with xargs
5. IPChains commands - I don't have it installed, so I can't provide syntax for adding the IP address to a remove - if someone can tell me where the download is - I can install it and complete my scripts
regards
Greg
>Replace ... with the Sed expression to extract the IP address.
>
>At 07:34 PM 8/9/01 +0100, Jason Vaughan wrote:
>>There have been frequent threads about Code Red and even a few
>>scripts to check how many times it has attacked.
>>
>>Here is a challenge for any top scripters out there...
>>
>>Write a script which monitors the access log and if it sees tell tale
>>signs (e.g requests for .ida) it then blocks that IP address, using
>>IPCHAINS or similar.
>
>
>--------------------------------------------------------------------------
>Ted Behling, Web Application Developer - Monarch Information Systems, Inc.
>
>43 Folly Field Road, Unit 4, Hilton Head Island, SC 29928-5434
>E-mail: mailto:TBehling@xxxxxxxxxxxxx
>Phone/Fax: 1-800-842-7894 Local or Outside the USA: 1-843-842-7894
>Cell Phone (urgent issues): 843-816-7895
>Cell Phone E-mail: mailto:TedPhone@xxxxxxxxxxxxx (116 letter limit)
>Web site: http://www.MonarchIS.net
>--------------------------------------------------------------------------
>
>_______________________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To Subscribe or Unsubscribe, please go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
--
http://www.webyourbusiness.com/
Providers of E-Commerce Software &
Web Design Consultancy and Services.
PH: (970)266-0195 FAX: (970)266-0158