Re: [tlug] Script Kiddy Defence Script

[Shawn <bofh@example.com>]

On Thu, Jun 09, 2005 at 06:02:47PM +0900, Joe Larabell wrote:
> 
> > Yes, I'm planning to do that. Not sure yet which other attacks are
> > worth considering...  maybe port scans, exploit tests via http...
> > well, if someone has ideas, let me know.
> 
> I wrote a short perl script to scan a weblog in real-time looking for the
> typical IIS exploits. In my case, I was less forgiving, in that I blocked
> the IP until the following midnight (just because I didn't want to have to
> deal with counting down timeouts and the like -- just run a cronjob to
> clear out the SHITLIST chain at midnight every day. It cut down on a lot
> of crud in the web logs. I'll send you the script if you're interested.

I did a similar thing to Joe on FreeBSD.

On FreeBSD, you get a nightly security report mailed to you, which reports
failed login attempts. My cronned perl script scans those emails and adds the
relevant IPs to the firewall, and also to a MySQL database with the date.
Every time the script is run, the first thing it does is check the database
table and clears out any entries that are more than 2 weeks old (also
removing them from the firewall), then it proceeds to scan the security
email, moving the mail to a separate folder after the scan is done. What this
does is effectively maintains a databased firewall of IPs which are banned
for 2 weeks.

Like Joe, I can post my script if anyone is interested.

Bes9 wish3s,

Shawn