Comments on: FAQ http://danger.rulez.sk Yet another FreeBSD committer's homepage Thu, 04 Mar 2010 06:41:34 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: danger http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-758 danger Tue, 17 Nov 2009 20:02:23 +0000 http://danger.rulez.sk/?page_id=6#comment-758 People are used to just send me an email and I will handle it manually. Please do so as well, stating which IP you would like to have to be removed. People are used to just send me an email and I will handle it manually.
Please do so as well, stating which IP you would like to have to be removed.

]]> By: Macio http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-757 Macio Tue, 17 Nov 2009 14:31:04 +0000 http://danger.rulez.sk/?page_id=6#comment-757 Hi I was wondering is there was any way to be deleted from this Blist. Or is there some timeout after your IP is deleted if you dont have a compromised computer anymore. Hi

I was wondering is there was any way to be deleted from this Blist.
Or is there some timeout after your IP is deleted if you dont have a compromised computer anymore.

]]> By: danger http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-751 danger Tue, 29 Sep 2009 08:24:51 +0000 http://danger.rulez.sk/?page_id=6#comment-751 I believe you have already resolved it after our talk on IRC... ;) I believe you have already resolved it after our talk on IRC… ;)

]]> By: Andre http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-749 Andre Thu, 17 Sep 2009 00:57:50 +0000 http://danger.rulez.sk/?page_id=6#comment-749 I recently installed this script and it works great but I came across a problem that I haven't been able to resolve.The IPs that are blocked aren’t removed in the time specified in the timeout variable. How often does the script check when a blocked IP has expired? I looked at the code it seems that it only gets checked if there is an attack in the process but if there isn’t an attack for a long time, the IP will remain blocked. Anyone have ideas on this? I recently installed this script and it works great but I came across a problem that I haven’t been able to resolve.The IPs that are blocked aren’t removed in the time specified in the timeout variable. How often does the script check when a blocked IP has expired? I looked at the code it seems that it only gets checked if there is an attack in the process but if there isn’t an attack for a long time, the IP will remain blocked. Anyone have ideas on this?

]]> By: Cassidy http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-724 Cassidy Tue, 07 Apr 2009 05:23:55 +0000 http://danger.rulez.sk/?page_id=6#comment-724 I went ahead and crafted a simple hack for CIDR based whitelist networks. You need the following from CPAN: Net::IP::Match::XS Change lines from: if (!grep { /$IP/ } @{$cfg->{whitelist}}) { TO: if (!match_ip( $IP, @{$cfg->{whitelist}})) { It works well for me so far. Thanks for a great solution! I went ahead and crafted a simple hack for CIDR based whitelist networks.

You need the following from CPAN:
Net::IP::Match::XS

Change lines from:
if (!grep { /$IP/ } @{$cfg->{whitelist}}) {

TO:
if (!match_ip( $IP, @{$cfg->{whitelist}})) {

It works well for me so far.

Thanks for a great solution!

]]> By: Norbert http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-723 Norbert Thu, 26 Feb 2009 02:48:40 +0000 http://danger.rulez.sk/?page_id=6#comment-723 Dear danger, After long time I just entered your site again and I can see your reply - thanks ;-) BTW, I successfully (8 months) use your script after I succeed adapting it to my needs. You are probably right with suggestion of blocking attackers like in the example above, but I don't have too much experience with PF and simply afraid some experiments on heavily loaded production server. What I implemented is 100% transparent and is doing its task well. Now I can notice only a few BAD attempts daily which is acceptable. Below I'd like to present my scripts, one might find them useful: # cat /etc/periodic/hourly/bruteforce_blocker #!/usr/local/bin/bash echo>/var/db/www-bruteforce /etc/rc.d/pf reload /etc/rc.d/syslogd reload # cat /usr/local/sbin/apache_syslog #!/usr/local/bin/perl # script: apache-access-logger use Sys::Syslog; $SERVER_NAME = shift || 'www'; $PRIORITY = 'info'; $FACILITY = 'local1'; Sys::Syslog::setlogsock('unix'); openlog ($SERVER_NAME,'ndelay', $FACILITY); while () { chomp; syslog($PRIORITY,$_); } closelog; # cat /etc/syslog.conf | grep local1 local1.* /var/log/apache_syslog.log local1.* |/usr/local/sbin/bruteforceblocker in apache virtual host In my apache virtual host conf I have: SetEnvIf Request_URI “/scripts/scripts” brute_force CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force SetEnvIf Request_URI “/includes/includes” brute_force CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force my custom bruteforceblocker rules look like this: /.*www: ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}).*/i || /.*ftpd:.*@($work->{ipv4}).*uthentication fail.*/i the second rule is for pureftpd Best regards Norbert Dear danger,
After long time I just entered your site again and I can see your reply – thanks ;-)

BTW, I successfully (8 months) use your script after I succeed adapting it to my needs. You are probably right with suggestion of blocking attackers like in the example above, but I don’t have too much experience with PF and simply afraid some experiments on heavily loaded production server.

What I implemented is 100% transparent and is doing its task well.
Now I can notice only a few BAD attempts daily which is acceptable.

Below I’d like to present my scripts, one might find them useful:

# cat /etc/periodic/hourly/bruteforce_blocker
#!/usr/local/bin/bash
echo>/var/db/www-bruteforce
/etc/rc.d/pf reload
/etc/rc.d/syslogd reload

# cat /usr/local/sbin/apache_syslog
#!/usr/local/bin/perl
# script: apache-access-logger

use Sys::Syslog;
$SERVER_NAME = shift || ‘www’;

$PRIORITY = ‘info’;
$FACILITY = ‘local1′;

Sys::Syslog::setlogsock(‘unix’);
openlog ($SERVER_NAME,’ndelay’, $FACILITY);
while () {
chomp;
syslog($PRIORITY,$_);
}
closelog;

# cat /etc/syslog.conf | grep local1
local1.* /var/log/apache_syslog.log
local1.* |/usr/local/sbin/bruteforceblocker

in apache virtual host
In my apache virtual host conf I have:

SetEnvIf Request_URI “/scripts/scripts” brute_force
CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

SetEnvIf Request_URI “/includes/includes” brute_force
CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

my custom bruteforceblocker rules look like this:
/.*www: ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}).*/i ||
/.*ftpd:.*@($work->{ipv4}).*uthentication fail.*/i

the second rule is for pureftpd

Best regards
Norbert

]]> By: danger http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-694 danger Thu, 19 Jun 2008 05:55:51 +0000 http://danger.rulez.sk/?page_id=6#comment-694 Dear Norbert, thank you for using my script; however I don't think it's a wise idea to use my script for the task you are trying to accomplish. Much more convenient ways would be something like this: table <httpsuckers> persist block quick from <httpsuckers> pass inet proto tcp from any to $localnet port {http, https} \ flags S/SA keep state \ (max-src-conn 100, max-src-conn-rate 15/5, \ overload <httpsuckers> flush global) together with security/expiretable port to remove old IPs from the table. I hope this helps to you. Dear Norbert,

thank you for using my script; however I don’t think it’s a wise idea to use my script for the task you are trying to accomplish. Much more convenient ways would be something like this:

table persist
block quick from

pass inet proto tcp from any to $localnet port {http, https} \
flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, \
overload flush global)

together with security/expiretable port to remove old IPs from the table. I hope this helps to you.

]]> By: Norbert http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-693 Norbert Thu, 19 Jun 2008 00:30:31 +0000 http://danger.rulez.sk/?page_id=6#comment-693 Thank you for your great script !!! I have adapted it to block some http requests. I was qurious why my server is so havily loaded and then I realized that I have a lot of requests similar to http://domain.name.com/index.php/includes/includes/scripts/scripts. I decided to use your scripts to disconnect "crackers" from my server. Although disconnecting is working fine, the time limit doesn't work and I don;t know why. Will you find some time helping me. Below you can find my files, I am running FreeBSD 6.2 In my apache virtual host I have: SetEnvIf Request_URI "/scripts/scripts" brute_force CustomLog "|/usr/local/sbin/apache_syslog" combined env=brute_force CustomLog "/var/log/domain/domain-bruteforce_log" combined env=brute_force SetEnvIf Request_URI "/includes/includes" brute_force CustomLog "|/usr/local/sbin/apache_syslog" combined env=brute_force CustomLog "/var/log/domain/domain-bruteforce_log" combined env=brute_force in syslog.conf local1.* |/usr/local/sbin/bruteforceblock er local1.* /var/log/apache_syslog.log in apache_syslog: #!/usr/local/bin/perl # script: apache-access-logger use Sys::Syslog; $SERVER_NAME = shift || 'www'; $PRIORITY = 'info'; $FACILITY = 'local1'; Sys::Syslog::setlogsock('unix'); openlog ($SERVER_NAME,'ndelay', $FACILITY); while () { chomp; syslog($PRIORITY,$_); } closelog; and extra rule in your script # the core process while () { if (/.*Failed password.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) por t.*/i || /.*Invalid user.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn})$/i || /.*Did not receive identification string from ($work->{ipv4}|$work->{ipv 6}|$work->{fqdn})$/i || /.*Bad protocol version identification .* from ($work->{ipv4}|$work->{ip v6}|$work->{fqdn})$/i || /.*User.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) not allowed be cause.*/i || /.*www: ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}).*/i ) { Thank you for your great script !!!
I have adapted it to block some http requests. I was qurious why my server is so havily loaded and then I realized that I have a lot of requests similar to http://domain.name.com/index.php/includes/includes/scripts/scripts.

I decided to use your scripts to disconnect “crackers” from my server. Although disconnecting is working fine, the time limit doesn’t work and I don;t know why.

Will you find some time helping me.
Below you can find my files, I am running FreeBSD 6.2

In my apache virtual host I have:

SetEnvIf Request_URI “/scripts/scripts” brute_force
CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

SetEnvIf Request_URI “/includes/includes” brute_force
CustomLog “|/usr/local/sbin/apache_syslog” combined env=brute_force
CustomLog “/var/log/domain/domain-bruteforce_log” combined env=brute_force

in syslog.conf

local1.* |/usr/local/sbin/bruteforceblock
er
local1.* /var/log/apache_syslog.log

in apache_syslog:
#!/usr/local/bin/perl
# script: apache-access-logger

use Sys::Syslog;
$SERVER_NAME = shift || ‘www’;

$PRIORITY = ‘info’;
$FACILITY = ‘local1′;

Sys::Syslog::setlogsock(‘unix’);
openlog ($SERVER_NAME,’ndelay’, $FACILITY);
while () {
chomp;
syslog($PRIORITY,$_);
}
closelog;

and extra rule in your script
# the core process

while () {
if (/.*Failed password.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) por
t.*/i ||
/.*Invalid user.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn})$/i ||
/.*Did not receive identification string from ($work->{ipv4}|$work->{ipv
6}|$work->{fqdn})$/i ||
/.*Bad protocol version identification .* from ($work->{ipv4}|$work->{ip
v6}|$work->{fqdn})$/i ||
/.*User.*from ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}) not allowed be
cause.*/i ||
/.*www: ($work->{ipv4}|$work->{ipv6}|$work->{fqdn}).*/i ) {

]]> By: danger http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-691 danger Thu, 17 Apr 2008 00:26:35 +0000 http://danger.rulez.sk/?page_id=6#comment-691 Sorry, this is not yet possible (patches welcome :-)), however I suppose you can work this around by simple "quick" rule in pf.conf before bruteforceblocker's rule, i.e.: <blockquote>table <bruteforce> persist file "/var/db/ssh-bruteforce" pass in log quick proto tcp from 192.60.128.0/22 to any port ssh block in log quick proto tcp from <bruteforce> to any port ssh</blockquote> Pretty straightforward. If you want to whitelist more CIDRs, you can also use another table for whitelist. I hope it helps you. I think I can add this to my TODO list, but I am nowadays a bit too much busy so it might take some time to implement by me. By the way, I suppose the implementation shouldn't be hard using e.g. Net::CIDR perl extension.... Sorry, this is not yet possible (patches welcome :-) ), however I suppose you can work this around by simple “quick” rule in pf.conf before bruteforceblocker’s rule, i.e.:

table persist file “/var/db/ssh-bruteforce”

pass in log quick proto tcp from 192.60.128.0/22 to any port ssh
block in log quick proto tcp from to any port ssh

Pretty straightforward. If you want to whitelist more CIDRs, you can also use another table for whitelist. I hope it helps you.
I think I can add this to my TODO list, but I am nowadays a bit too much busy so it might take some time to implement by me. By the way, I suppose the implementation shouldn’t be hard using e.g. Net::CIDR perl extension….

]]> By: Michael Pearl http://danger.rulez.sk/index.php/bruteforceblocker/faq/comment-page-1/#comment-690 Michael Pearl Wed, 16 Apr 2008 20:07:25 +0000 http://danger.rulez.sk/?page_id=6#comment-690 Does the 'whitelist' in the bruteforceblocker.conf support CIDR or possibly wildcards? I'd like to whitelist an entire /22. Does the ‘whitelist’ in the bruteforceblocker.conf support CIDR or possibly wildcards? I’d like to whitelist an entire /22.

]]>