use openbsd's pf to dynamically block those damn 2 year old codered infected boxen. found on deadly.org: "Daniel is at it again. Answering the question of how to dynamically create rulesets based on arbitrary criteria, Daniel discusses how he tracks web clients and kills them with dynamic rulesets. This would be easy to extend to a variety of detection criteria and add various levels of security via a PF host. Don't forget that reactionary firewalls are a great way to lock yourself off the Internet, so don't be too overzealous in your ruleset building."
here's my code:
#!/bin/bash
## cool idea by Daniel Hartmeier ##
cat /etc/apache/quickblock.block |egrep -v "^(127\.|192\.168\.|10\.)" \
> /etc/apache/.quickblock.tmp
egrep -f /etc/apache/quickblock.grep /var/log/apache/access_log \
| cut -d " " -f 1 >> /etc/apache/.quickblock.tmp
sort -u < /etc/apache/.quickblock.tmp | egrep -v "^127\.0\.0\.1$" \
| egrep -v "^(192\.168\.|10\.)" > /etc/apache/quickblock.block
pfctl -t quickblock -T replace -f /etc/apache/quickblock.block
rm /etc/apache/.quickblock.tmp
here's the original message:
[prev in list ] [ next in list ] [ prev in thread ] [ next in thread ]List: openbsd-pf Subject: Re: [OpenBSD-pf] dynamic filtering based on httpd error_log From: Daniel Hartmeier
> I'm primarily interested in dynamic addition and removal of rule
> sets using pf.
With -current, this is pretty simple with tables.
For instance, I add IP addresses to a block rule when they request
certain pages from my web server. It's worth noting that a client must
complete the TCP handshake to fetch a page and get logged in the web
server log, so spoofing source addresses is no threat to this setup.
$ cat quickblock.grep
/crawlertrap/
/_vti_bin/
"GET /www/scripts/
cmd.exe
root.exe
$ cat quickblock (this is run from a cronjob)
cat ~/quickblock >~/quickblock.tmp
egrep -f ~/quickblock.grep /var/log/thttpd | cut -d " " -f 1 >>~/quickblock.tmp
sort -u <~/quickblock.tmp | grep -v "^127\.0\.0\.1$" >~/quickblock
pfctl -t quickblock -T replace -f ~/quickblock
$ pfctl -sr | grep quickblock
block drop in quick on kue0 inet from
So if a client requests /crawlertrap/index.html, because it's an
unpolite web crawler dishonouring my robots.txt, it gets added to the
quickblock table within a couple of minutes (when the cronjob runs the
next time), which blocks further connections from that source.
With pfctl -t quickblock -T
addresses from that table, view statistics, etc., see the new pfctl man
page.
Evaluation of the ruleset doesn't get more expensive when the table size
grows, that's the nice thing about tables:
$ pfctl -t quickblock -T show | wc -l
414
It doesn't really matter if there are 400 or 40000 addresses in that
table, the rule will evaluate equally fast.
Daniel [prev in list ] [ next in list ] [ prev in thread ] [ next in thread ]
Configure Your Environment |About MARC | We're Hiring! | Want to add a list? Tell us about it . | 10East
Posted by skp at fevereiro 28, 2003 10:53 AM | TrackBack