Musings from a small IPP

Invaders at the gate

by on Dec.03, 2010, under Operations

Being on the internet is risky.  It used to be that a new PC connected to the net would be taken over in under 20 minutes unless protective measures were taken.  Fortunately this is no longer the case, but it does not stop the attempts.  When one is running servers there is little option of switching off services.

In particular one needs remote access programs such as ssh, and one’s customers need ftp to manage their websites.  There are however patterns which lead one to realise when an attempt is being made to obtain illegal access.

It’s particularly annoying when you have someone trying to steal telephone service by logging their IP phone onto your Asterisk PBX, as they are trying passwords at around 40-50 per second, and chewing your bandwidth fairly well.  And of course if they succeed you’re up for a lot of telephony cost. (The rest of this article is for unix system admins)

So I’ve been writing a few scripts to jump on these wannabe thieves and block their further depradations, eg for asterisk:

 

#!/bin/sh

PATH=/sbin:/usr/sbin:$PATH  export PATH

trap "rm -f /var/tmp/*.$$" 0 1 2 3 15

current=`iptables-save | wc -l`

if [ $current -lt 30 ]
then
	service iptables restart 2>&1 > /dev/null
fi

# Flush the table
echo /sbin/iptables -F SIP-ATTACK > /var/tmp/newblock.$$

# Pick up the nuisance attempts, making sure not to block local phones
sed -n -e "s/.*Registration.*sip.*failed for '//p"  /var/log/asterisk/full | \
	sed -e /82.70.18/d -e /192.168.128/d -e "s/'.*//" | \
	sort -t. -k1,1n -k2,2n -k3,3n -k4,4n | uniq -c | \
	perl -n -e 's/^\s+//; ($a, $b) = split(/\s+/, $_); print $b . "\n" if ($a > 30);' | \
	sed -e 's/.*/\/sbin\/iptables -A SIP-ATTACK -s & -j DROP/' >> /var/tmp/newblock.$$
# Not on the list, so OK
echo /sbin/iptables -A SIP-ATTACK -j RETURN >> /var/tmp/newblock.$$

# Do it
. /var/tmp/newblock.$$
exit 0

 

The scripts for other attacks (ftp, ssh, smtp-crashers) are very similar, though the log file to check will vary, as will the custom iptables chain you set up.  You don’t want to completely delete and re-create this chain because that would break the processing link, whereas truncating and rebuilding the block-list is relatively stable.

Finally you will need to run the script every few minutes from cron.

There is a side-effect — when you rotate your logfiles the block-lists reset to empty, so blocks don’t hang around forever.


Comments are closed.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...