IP Deny logging to a database or post block/post remove hooks

nickp666
Junior Member
Posts: 36
Joined: 15 Dec 2006, 08:30
Location: UK
Contact:

Post by nickp666 »

One thing that could possibly be added (although not a big thing - im sure you have better things to do)

Would it be possible for you to add a command line trigger to lfd to generate a block report, as presently I can only test it by triggering an IP block by brute forcing/login fails (I understand this is because it is lfd and not csf that forks the process)
nickp666
Junior Member
Posts: 36
Joined: 15 Dec 2006, 08:30
Location: UK
Contact:

Post by nickp666 »

Have just discovered one problem with the way this works (which you may or may not want to fix - it isnt a large issue - only PHP related)

I have been experimenting with the centralised database idea discussed previously in this thread, I have been using a PHP shell script to accept the data.

It all works fine and as expected, except for triggering suhosin's default variable name length limit (The actual block data) as below:
Oct 22 15:51:06 SERVERNAME suhosin[6314]: ALERT - configured request variable name length limit exceeded - dropped variable '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs' (attacker 'REMOTE_ADDR not set', file 'unknown')
Is there a way i can hack it to add switches with parameters rather than long strings, e.g:

Code: Select all

user@box# /path/to/script -b '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs' 
opposed to the current method:

Code: Select all

user@box# /path/to/script '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs' 
Suhosin will then not trigger as the limit is on the variable name length, rather than the string value.
chirpy
Moderator
Posts: 3537
Joined: 09 Dec 2006, 18:13

Post by chirpy »

Well, the routine is script agnostic and I don't want to make it specific to PHP (ugh). I suppose you could try changing BLOCK_REPORT from:

"/path/to/script"

to:

"/path/to/script -b"
nickp666
Junior Member
Posts: 36
Joined: 15 Dec 2006, 08:30
Location: UK
Contact:

Post by nickp666 »

doh, didnt think of that!

am only using php to test for simplicity ;)
randy
Junior Member
Posts: 23
Joined: 19 Nov 2007, 23:16

Post by randy »

nickp666 wrote:doh, didnt think of that!

am only using php to test for simplicity ;)
NIck,

Did you say you were putting this into a database? I would be interested to see how you are doing this, it would be a great thing to have for our users.

Randy
nickp666
Junior Member
Posts: 36
Joined: 15 Dec 2006, 08:30
Location: UK
Contact:

Post by nickp666 »

randy wrote:NIck,

Did you say you were putting this into a database? I would be interested to see how you are doing this, it would be a great thing to have for our users.

Randy
I am indeed, my intention is to develop a centralised block list and associated app for end users to query, however as I am doing this in my spare time it is only very rough atm
Kent Brockman
Junior Member
Posts: 78
Joined: 26 May 2008, 16:57
Contact:

Post by Kent Brockman »

Your idea sounds cool. It's cool to determine the origin IP's of recurrent port scanning and connection attempts. You may generate statistics on the frequency and procedence of them.

Also, you can use shellexce via php to see what's happening in real time.
You can generate a list of currently blocked IP's
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq
or just count how many IP's are being blocked in this moment:
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq | wc -l

I do use those commands from a hidden php file in one of the domains to check from my cell phone if something strange is happening and require urgent action (and if that is on fire, I call an emergency script from my cell phone with another hidden shellexec request that will turn off affected services, free memory, and restart them once the situation is under control).
NightRider
Junior Member
Posts: 2
Joined: 05 Dec 2008, 10:08

Post by NightRider »

Guys, need help.

I have BLOCK_REPORT = /usr/bin/php /home/someuser/public_html/banned.php

But this doesn't work...
Is there something wrong?
nickp666
Junior Member
Posts: 36
Joined: 15 Dec 2006, 08:30
Location: UK
Contact:

Post by nickp666 »

How are you processing the command line arguements?

You will need to use Console_GetOpt or similar in php to parse the raw arguements.

Also if you have suhosin installed, it will drop all script executions due to the length of the variable names supplied from lfd.
Post Reply