Links
- My Non-Geek Blog
- Bits O' News
- Reloader-Man
- Texas Hunter
- Jeff's Website
- Nicky's Blog
- Stripper-Mom
- Homestar Runner
- Joe Cartoon
- Twink Schiff
- The Onion
- Merriam-Webster
- Froogle
Archives
My Geek-Blog!!
Friday, August 05, 2005
The details
The details of what my log-watch system:
1. mkfifo /tmp/log_fifo
2. edit /etc/syslog.conf and add:
*.info;authpriv.none |/tmp/log_fifo
3. edit /etc/sysconfig/iptables and add a new table called "BADGUYS"
a. in the "filter" section (at the top):
:BADGUYS - [0:0]
b. in the INPUT table:
-A INPUT --in-interface eth+ --jump BADGUYS
c. in the BADGUYS table (add this at the bottom):
-A BADGUYS --in-interface eth+ --source 169.254.0.0/16 --jump DROP
or some other "bad" IP address.
3. service syslog restart
4. run my logmonitor script which watches the /tmp/log_fifo "file" (more on this later)
By default, the logmonitor wakes up whenever a new entry appears in the log_fifo -- i.e. every time a login fails, but also every time any other crap goes into the log file. Every 5 minutes, it also wakes up and checks if any of the banned IP addresses has expired -- right now a ban is for 12 hours. I think the overhead on the system is minimal, and it catches script kiddies after 3 failed attempts, not 50.
1. mkfifo /tmp/log_fifo
2. edit /etc/syslog.conf and add:
*.info;authpriv.none |/tmp/log_fifo
3. edit /etc/sysconfig/iptables and add a new table called "BADGUYS"
a. in the "filter" section (at the top):
:BADGUYS - [0:0]
b. in the INPUT table:
-A INPUT --in-interface eth+ --jump BADGUYS
c. in the BADGUYS table (add this at the bottom):
-A BADGUYS --in-interface eth+ --source 169.254.0.0/16 --jump DROP
or some other "bad" IP address.
3. service syslog restart
4. run my logmonitor script which watches the /tmp/log_fifo "file" (more on this later)
By default, the logmonitor wakes up whenever a new entry appears in the log_fifo -- i.e. every time a login fails, but also every time any other crap goes into the log file. Every 5 minutes, it also wakes up and checks if any of the banned IP addresses has expired -- right now a ban is for 12 hours. I think the overhead on the system is minimal, and it catches script kiddies after 3 failed attempts, not 50.
Comments:
Post a Comment
