Page 2 of 2
Posted: 17 Oct 2008, 15:54
by nickp666
One thing that could possibly be added (although not a big thing - im sure you have better things to do)
Would it be possible for you to add a command line trigger to lfd to generate a block report, as presently I can only test it by triggering an IP block by brute forcing/login fails (I understand this is because it is lfd and not csf that forks the process)
Posted: 22 Oct 2008, 16:12
by nickp666
Have just discovered one problem with the way this works (which you may or may not want to fix - it isnt a large issue - only PHP related)
I have been experimenting with the centralised database idea discussed previously in this thread, I have been using a PHP shell script to accept the data.
It all works fine and as expected, except for triggering suhosin's default variable name length limit (The actual block data) as below:
Oct 22 15:51:06 SERVERNAME suhosin[6314]: ALERT - configured request variable name length limit exceeded - dropped variable '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs' (attacker 'REMOTE_ADDR not set', file 'unknown')
Is there a way i can hack it to add switches with parameters rather than long strings, e.g:
Code: Select all
user@box# /path/to/script -b '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs'
opposed to the current method:
Code: Select all
user@box# /path/to/script '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs'
Suhosin will then not trigger as the limit is on the variable name length, rather than the string value.
Posted: 22 Oct 2008, 17:18
by chirpy
Well, the routine is script agnostic and I don't want to make it specific to PHP (ugh). I suppose you could try changing BLOCK_REPORT from:
"/path/to/script"
to:
"/path/to/script -b"
Posted: 23 Oct 2008, 15:55
by nickp666
doh, didnt think of that!
am only using php to test for simplicity
Posted: 23 Oct 2008, 20:03
by randy
nickp666 wrote:doh, didnt think of that!
am only using php to test for simplicity
NIck,
Did you say you were putting this into a database? I would be interested to see how you are doing this, it would be a great thing to have for our users.
Randy
Posted: 24 Oct 2008, 12:32
by nickp666
randy wrote:NIck,
Did you say you were putting this into a database? I would be interested to see how you are doing this, it would be a great thing to have for our users.
Randy
I am indeed, my intention is to develop a centralised block list and associated app for end users to query, however as I am doing this in my spare time it is only very rough atm
Posted: 28 Oct 2008, 01:30
by Kent Brockman
Your idea sounds cool. It's cool to determine the origin IP's of recurrent port scanning and connection attempts. You may generate statistics on the frequency and procedence of them.
Also, you can use shellexce via php to see what's happening in real time.
You can generate a list of currently blocked IP's
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq
or just count how many IP's are being blocked in this moment:
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq | wc -l
I do use those commands from a hidden php file in one of the domains to check from my cell phone if something strange is happening and require urgent action (and if that is on fire, I call an emergency script from my cell phone with another hidden shellexec request that will turn off affected services, free memory, and restart them once the situation is under control).
Posted: 05 Dec 2008, 10:50
by NightRider
Guys, need help.
I have BLOCK_REPORT = /usr/bin/php /home/someuser/public_html/banned.php
But this doesn't work...
Is there something wrong?
Posted: 05 Dec 2008, 11:45
by nickp666
How are you processing the command line arguements?
You will need to use Console_GetOpt or similar in php to parse the raw arguements.
Also if you have suhosin installed, it will drop all script executions due to the length of the variable names supplied from lfd.