Re: [SLE] Firewall is getting hammered...help
Tom Nielsen wrote:
On Mon, 2003-09-29 at 11:11, Stephen wrote:
/I even wrote a little script to find out the worst offenders, and tried to contact them, but to no avail./
Can I get a copy of that script?
Tom
Tom I had grep'ped for 'DPT=135' through all the accumulated messages log files and dumped them to a file, then ran this script against it. It isn't a great script as it isn't what I do, but I had a bash, or a perl, at it in this case, and it worked, learned something new. No doubt someone will improve it, probably to a one liner, but it worked for me. It will print out a list of IP addresses with the number of probes from that address. I did a reverse dns and a port scan against the worst one, found that some where running web sites which had a contact address on it. Wrote to them, but have had nothing back, except more probes. Change the filename to suit -------------------------------------------------------------------------- #!/usr/bin/perl open(IPFILE, '/home/stephen/log/messages.log'); foreach $line (<IPFILE>) { ($line) =~ /(\d+\.\d+\.\d+\.\d+)/g; $ip{$1}+=1; } close(IPFILE); foreach $key (sort keys %ip) { $rdns = `host $key`; print "$key($ip{$key}) => $rdns\n"; } --------------------------------------------------------------------------- Steve
Stephen wrote: <snip>
foreach $key (sort keys %ip) { $rdns = `host $key`; print "$key($ip{$key}) => $rdns\n"; }
Forget to mention this will do a rdns on all the ip addresses found, so can take a while if you have been badly hit. Probably better just to print out the ip address and count, then do a check on the larger ones. Steve
On Mon, 2003-09-29 at 14:32, Stephen wrote:
It isn't a great script as it isn't what I do, but I had a bash, or a perl, at it in this case, and it worked, learned something new. No doubt someone will improve it, probably to a one liner, but it worked for me.
What I've done in the past was to do an ``smbclient -L <IP address>'' lookup against these sorts of addresses. Usually, these probes are coming from compromised machines on your broadband subnet, and you are very likely to find several that have open Windows shares on them. Who knows what you'll find? It's sort of a treasure hunt. ;-) Eventually, though, you'll have better things to do, and you'll learn to use an aggregating reporter, like fwlogwatch, and you'll forget about these types of things. I had been using psad, but it doesn't come with SuSE. Though I had been working with the author to get it to work on 8.2, I sort of lost track of that project. It's probably all smoothed out by now anyway. Regards, dk
participants (2)
-
David Krider -
Stephen