[BlueOnyx:08922] Re: IP blocks for httpd and hosts.deny

Chuck Tetlow chuck at tetlow.net
Fri Oct 28 15:58:53 -05 2011 

Jim,

If I have a persistent pest trying to hack in, I simply block him with the firewall.  Its not a permanent block and will disappear once the box is booted, or if you make any changes with the management GUI.  But even a 24-48 hour block is usually sufficient for them to go looking for easy prey elsewhere.

At the command-line as root, use the command:
iptables -I acctin 1 -s sourceIP/32 -j DROP

Use that exact syntax on your BX box - including that upper/lower cases.  Replace sourceIP with the IP of the pest.  The /32 right on the end of that IP tells the system to block just that one IP.

If you want to see how many times that IP is blocked - the system will log each block in /var/log/messages (or sometimes it will put in something like "last message repeated 3 more times").  Or you can use "iptables -L -n -v".  Look at the line at the top of the acctin chain with the IP you're blocking - it will show a count of packets blocked.  Each packet is a attempt.

Chuck

---------- Original Message -----------
From: Jim Matysek <matysekj at usms.org> 
To: "'BlueOnyx General Mailing List'" <blueonyx at mail.blueonyx.it> 
Sent: Fri, 28 Oct 2011 12:58:48 -0400 
Subject: [BlueOnyx:08921]  IP blocks for httpd and hosts.deny

> I have two somewhat related questions/issues with setting up and/or 
> finding IP blocks for the httpd service. 
> 
> First, we had a very persistent attempt at SQL injection from an Asian 
> IP address yesterday (over 227,000 hits). Once I saw it, I added that IP 
> address to /etc/hosts.deny. The hits persisted in 
> /var/log/httpd/access_log with 200 status. I then added a deny line in 
> the .htaccess file for that IP and while the hits persisted, they were 
> now all getting 403 status. One issue is that this still fills up both 
> my access_log and error_log to the point that it's hard to find other 
> things there. Is there a way to block httpd access to an IP address that 
> will keep all attempts out of the httpd logs? Also, I had always thought 
> that any IP addresses listed with ALL: xxx.xxx.xxx.xxx in the 
> /etc/hosts.deny file would accomplish this. Apparently not, or if it 
> will, is there a specific service I need to restart for it to take 
> effect? I did restart httpd yesterday and it didn't change anything. 
> 
> Second, I've got one valid user who suddenly over the past week can not 
> access any pages on our main site. She just gets a blank page or a 
> timeout message. She's tried with 3 different browsers and has tried 
> clearing her cache, all with the same results. I checked and her IP 
> address doesn't appear in /etc/hosts.deny or in the "Blocked hosts" tab 
> in the BO GUI under Security / Failed Logins. I also checked 
> /etc/apf/deny_hosts.rules and her IP isn't there either. Is there 
> somewhere else to look? The odd thing is that I see her requests in 
> /var/log/httpd/access_log with a 200 status, but the amount of data 
> returned is shown as about half that for any other request from others 
> on the same URL. That sounds more like a browser cache issue to me, but 
> she's tried this with 3 different browsers with the same results. I'm at 
> a loss for where to look next. I have asked her to try to access other 
> sites on the same virtual server and on another VS, but have not heard 
> back the results from her on those attempts. 
> 
> -- 
> Jim Matysek 
> 
> _______________________________________________ 
> Blueonyx mailing list 
> Blueonyx at mail.blueonyx.it 
> http://mail.blueonyx.it/mailman/listinfo/blueonyx 
------- End of Original Message -------
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20111028/10634c7e/attachment.html>

More information about the Blueonyx mailing list