Help - Search - Members - Calendar
Full Version: Need script
The Planet Forums > Security > General Security
(o_0)
Sep 19 2005, 10:14 PM
We need script which one will be scanning /usr/local/apache/logs/access_log

and block any IP with 408 error by APF "apf -d xx.xxx.xxx.xxx"

xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:30 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:30 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:55 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:55 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:59 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:59 +0400] "-" 408 -

It's help with our DDos attack on httpd service.
(o_0)
Sep 20 2005, 10:46 AM
Any body? eth00?
NightStorm
Sep 21 2005, 12:47 AM
I know this is a bit of a looparound, but have you tried Snort? You can set it, when installed with snortsam, to insert an IP into the firewall if the string matches a rule... so you could essentially block all traffic that returns a 408 error automatically the moment it happens.
Another, more 'tedious' way would be:

grep "408 -" /usr/local/apache/logs/access_log >>block_ips

Then open the block_ips with notepad, and run a "replace all" for a space to a 'tab'... then paste the results into Excel... it will place each word of the log into it's own column... so essentially, you could isolate the IPs from the rest of the log data... Excel offers the ability to sort and remove duplicates, so with a few minutes, you could have a list of the IPs launching the attack, and paste them strait into /etc/apf/deny_hosts.rules

But honestly, Snort/snortsam is probably your best way to go.
(o_0)
Sep 21 2005, 09:33 AM
We wrote this script. Set it to the cron for every 2 min when you have ddos.
If you have installed Mod Security and APF this script will help with ddos on httpd service. It works great.

CODE
#bin/bash

if [ -z "$1" ]

    then

       for i in `tail -100 /usr/local/apache/logs/access_log | awk '/408/ {print $1}'|sort|uniq`

           do

           apf -d $i

           done

    else

       for i in `tail -$1 /usr/local/apache/logs/access_log | awk '/408/ {print $1}'|sort|uniq`

           do

           apf -d $i

           done

fi
Catalyst
Sep 21 2005, 10:12 AM
You're certainly on the right track, but I see an issue ...

User-Agent "Gecko/20040804 Netscape/7.2" will match, as will a request for say "somepage.php?id=408" or a form post containing "408 Cherry Street" or a ZIP code "47408." I won't even mention those poor people from San Jose, CA.

You might wanna change you awk to something like "awk '/408 ([-0-9]+)$/ {print $1}'" to get around that. ;-) That way it's searching the end of the line for the error code and id (or -).
Manuel
Sep 24 2005, 08:45 PM
Well, you have find the script, but may I know why you want to block the 408 error's IP only?
(o_0)
Sep 29 2005, 10:32 AM
Thanks Catalyst didn't think about this.


QUOTE (Manuel)
Well, you have find the script, but may I know why you want to block the 408 error's IP only?


When you have a ddos on httpd in your /usr/local/apache/logs/access_log you will see something like this

xx.xxx.xxx.xxx - - [29/Sep/2005:20:33:53 +0400] "dfjikpdskdOMQM"
xx.xxx.xxx.xxx - - [29/Sep/2005:20:33:55 +0400] "PpwmcsfsfsIPQ"
xx.xxx.xxx.xxx - - [29/Sep/2005:20:34:05 +0400] "KOPKJWfdsfdsNOPWN"
xx.xxx.xxx.xxx- - [29/Sep/2005:20:34:26 +0400] "OQP{mpfsajfasobIObas"

You can't block this ddos couse here always different "OQP{mpfsajfasobIObas" or "PpwmcsfsfsIPQ" but if you have Mod Security it will look like

xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:30 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:30 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:55 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:55 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:59 +0400] "-" 408 -
xx.xxx.xxx.xxx - - [20/Sep/2005:08:12:59 +0400] "-" 408 -

Now we can block ddos, I've it today again more then 700 IP and I block it in 15 min.
Manuel
Sep 29 2005, 08:24 PM
Wow great...!!
eth00
Sep 30 2005, 08:08 AM
Be VERY careful about doing this, if you run a script like that it is possible you will crash your own server. Once iptables gets 10,000-20,000 entries it can completely crash the server. A large ddos will very easily do this causing massive loads from the firewall and finally a complete crash. If you do something like the above I would suggest flushing the blocklist every few days so it does not get too big.
Manuel
Sep 30 2005, 10:03 PM
hmmmmmmm.....

I am using APF/BFD firewall, how do I flush the block entry every few days?
eth00
Oct 1 2005, 06:31 AM
delete the /etc/apf/deny.hosts_rules and then touch /etc/apf/deny.hosts_rules to create another file

I would still suggest not doing that because it may crash your server if you get a very large attack. Regardless it will probably end up slowing the server down over time as more rules get added.
Manuel
Jun 22 2006, 01:54 AM
If you are using apf then you can use below commands, but as eth0 has suggested it is not recommanded!!!

grep "408 -" /usr/local/apache/logs/access_log | awk '{print $1}' | sort | uniq | sort -nr >> /etc/apf/deny_hosts.rules
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.