Invaders at the gate

by Andrew Macpherson on Dec.03, 2010, under Operations

Being on the internet is risky. It used to be that a new PC connected to the net would be taken over in under 20 minutes unless protective measures were taken. Fortunately this is no longer the case, but it does not stop the attempts. When one is running servers there is little option of switching off services.

In particular one needs remote access programs such as ssh, and one’s customers need ftp to manage their websites. There are however patterns which lead one to realise when an attempt is being made to obtain illegal access.

It’s particularly annoying when you have someone trying to steal telephone service by logging their IP phone onto your Asterisk PBX, as they are trying passwords at around 40-50 per second, and chewing your bandwidth fairly well. And of course if they succeed you’re up for a lot of telephony cost. (The rest of this article is for unix system admins)

So I’ve been writing a few scripts to jump on these wannabe thieves and block their further depradations, eg for asterisk:


#!/bin/sh

PATH=/sbin:/usr/sbin:$PATH  export PATH

trap "rm -f /var/tmp/*.$$" 0 1 2 3 15

current=`iptables-save | wc -l`

if [ $current -lt 30 ]
then
	service iptables restart 2>&1 > /dev/null
fi

# Flush the table
echo /sbin/iptables -F SIP-ATTACK > /var/tmp/newblock.$$

# Pick up the nuisance attempts, making sure not to block local phones
sed -n -e "s/.*Registration.*sip.*failed for '//p"  /var/log/asterisk/full | \
	sed -e /82.70.18/d -e /192.168.128/d -e "s/'.*//" | \
	sort -t. -k1,1n -k2,2n -k3,3n -k4,4n | uniq -c | \
	perl -n -e 's/^\s+//; ($a, $b) = split(/\s+/, $_); print $b . "\n" if ($a > 30);' | \
	sed -e 's/.*/\/sbin\/iptables -A SIP-ATTACK -s & -j DROP/' >> /var/tmp/newblock.$$
# Not on the list, so OK
echo /sbin/iptables -A SIP-ATTACK -j RETURN >> /var/tmp/newblock.$$

# Do it
. /var/tmp/newblock.$$
exit 0

The scripts for other attacks (ftp, ssh, smtp-crashers) are very similar, though the log file to check will vary, as will the custom iptables chain you set up. You don’t want to completely delete and re-create this chain because that would break the processing link, whereas truncating and rebuilding the block-list is relatively stable.

Finally you will need to run the script every few minutes from cron.

There is a side-effect — when you rotate your logfiles the block-lists reset to empty, so blocks don’t hang around forever.

Comments are closed.

RSS feed for this post (comments)

OA5.com happenings
Welcome, nice of you to drop in! Thank you.

We're looking at what's happening at OA5.com here. Mostly the background stuff, occasionally there will be something technologically interesting, mostly it will be attempts to work out how we can communicate better with our customers. There's an RSS feed above if it's sufficiently interesting.
Recent Posts
Tweets by @OA5dotCom
Browse by Tag
comment DNS e-mail email fail hoax HomePlug Hosting infrastructure mapping Operations SPF the Sender Policy Framework technology virus

Categories

Meta
- Log in
- Valid XHTML

Musings from a small IPP