<HTML>
<HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="OPENWEBMAIL" name=GENERATOR>
</HEAD>
<BODY bgColor=#ffffff>
Jim,
<br />
<br />If I have a persistent pest trying to hack in, I simply block him with the firewall. Its not a permanent block and will disappear once the box is booted, or if you make any changes with the management GUI. But even a 24-48 hour block is usually sufficient for them to go looking for easy prey elsewhere.
<br />
<br />At the command-line as root, use the command:
<br />iptables -I acctin 1 -s <span style="font-style: italic;">sourceIP</span>/32 -j DROP
<br />
<br />Use that exact syntax on your BX box - including that upper/lower cases. Replace <span style="font-style: italic;">sourceIP<span style="font-weight: bold;"><span style="font-style: italic;"><span style="font-weight: bold;"></span></span></span></span> with the IP of the pest. The /32 right on the end of that IP tells the system to block just that one IP.
<br />
<br />If you want to see how many times that IP is blocked - the system will log each block in /var/log/messages (or sometimes it will put in something like "last message repeated 3 more times"). Or you can use "iptables -L -n -v". Look at the line at the top of the acctin chain with the IP you're blocking - it will show a count of packets blocked. Each packet is a attempt.
<br />
<br />
<br />Chuck
<br />
<br />
<br />
<br />
<br />
<br /><font size="2"><b>---------- Original Message
-----------</b>
<br />
From: Jim Matysek <matysekj@usms.org>
<br />
To: "'BlueOnyx General Mailing List'"
<blueonyx@mail.blueonyx.it>
<br />
Sent: Fri, 28 Oct 2011 12:58:48 -0400
<br />
Subject: [BlueOnyx:08921] IP blocks for httpd and hosts.deny
<br />
<br />> I have two somewhat related questions/issues with setting up and/or
<br />>
finding IP blocks for the httpd service.
<br />>
<br />>
First, we had a very persistent attempt at SQL injection from an Asian
<br />>
IP address yesterday (over 227,000 hits). Once I saw it, I added that IP
<br />>
address to /etc/hosts.deny. The hits persisted in
<br />>
/var/log/httpd/access_log with 200 status. I then added a deny line in
<br />>
the .htaccess file for that IP and while the hits persisted, they were
<br />>
now all getting 403 status. One issue is that this still fills up both
<br />>
my access_log and error_log to the point that it's hard to find other
<br />>
things there. Is there a way to block httpd access to an IP address that
<br />>
will keep all attempts out of the httpd logs? Also, I had always thought
<br />>
that any IP addresses listed with ALL: xxx.xxx.xxx.xxx in the
<br />>
/etc/hosts.deny file would accomplish this. Apparently not, or if it
<br />>
will, is there a specific service I need to restart for it to take
<br />>
effect? I did restart httpd yesterday and it didn't change anything.
<br />>
<br />>
Second, I've got one valid user who suddenly over the past week can not
<br />>
access any pages on our main site. She just gets a blank page or a
<br />>
timeout message. She's tried with 3 different browsers and has tried
<br />>
clearing her cache, all with the same results. I checked and her IP
<br />>
address doesn't appear in /etc/hosts.deny or in the "Blocked hosts"
tab
<br />>
in the BO GUI under Security / Failed Logins. I also checked
<br />>
/etc/apf/deny_hosts.rules and her IP isn't there either. Is there
<br />>
somewhere else to look? The odd thing is that I see her requests in
<br />>
/var/log/httpd/access_log with a 200 status, but the amount of data
<br />>
returned is shown as about half that for any other request from others
<br />>
on the same URL. That sounds more like a browser cache issue to me, but
<br />>
she's tried this with 3 different browsers with the same results. I'm at
<br />>
a loss for where to look next. I have asked her to try to access other
<br />>
sites on the same virtual server and on another VS, but have not heard
<br />>
back the results from her on those attempts.
<br />>
<br />>
--
<br />>
Jim Matysek
<br />>
<br />>
_______________________________________________
<br />>
Blueonyx mailing list
<br />>
Blueonyx@mail.blueonyx.it
<br />>
<a target="_blank" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
<br /><b>------- End of Original Message
-------</b>
<br />
</font>
</BODY>
</HTML>