how to detect and block repetitive attacks

[Chris Fortune]

Hello,

Is it possible to detect and block IP addresses that hit my server with
repetitive (automated) attacks?

port sniffing
ftp directory harvest attacks
smtp directory harvest attacks
http/html DOS
ping attacks
etc...

I'm looking for a single solution that will cover all sorts of these kinds
of attacks.

Thanks

[Chris Fortune]

Very funny. Do you know of a log audit program that detects these kinds of
attacks, and then alters system-wide IP blocking rules, for example?




<Michael Vilain <vilain@spamcop.net>> wrote in message
news:vilain-BC3454.12283503082004@comcast.dca.giganews.com...

> In article <tARPc.21241$T_6.5539@edtnps89>,
> "Chris Fortune" <hey.spammer...just.get@job.org> wrote:
>

> > Hello,
> >
> > Is it possible to detect and block IP addresses that hit my server with
> > repetitive (automated) attacks?
> >
> > port sniffing
> > ftp directory harvest attacks
> > smtp directory harvest attacks
> > http/html DOS
> > ping attacks
> > etc...
> >
> > I'm looking for a single solution that will cover all sorts of these

kinds

> > of attacks.

>
> Hire a competent sysadmin with security experience.
>
> --
> DeeDee, don't press that button! DeeDee! NO! Dee...
>
>
>

[Dave Hinz]

On Tue, 03 Aug 2004 19:34:04 GMT, Chris Fortune <> wrote:

> Very funny.

Please don't top-post, and I don't think he was joking.

> Do you know of a log audit program that detects these kinds of
> attacks, and then alters system-wide IP blocking rules, for example?

Yes. Would you like to tell us anything at all about your environment
so we can formulate relevant answers, or is this just a general question,
or what's the situation? Have you googled? What did you find there
that does or doesn't help?

[Chris Fortune]

Thanks. Linux RH8, Apache, it's a web server dedicated to
anti-spam/anti-virus pop-forward & filter services. It's getting attacked
by the usual script kiddies, who occasionally bang it with thousands of
login attempts per hour.

I found Snort [url]http://www.snort.org/[/url], and have been struggling to write rules
and control IP suppression automatically based on a behaviour of
"repetition". Looking at the system logs, I see that only a handful of IP
addresses need to access my server repetitively, and so I would like to
allow them, but temporarily block any others after a certain number of
repetitions. The algorithm that most appeals to me is "greylisting", where
repetitive requests are fulfilled, but at a slower and slower bit transfer
rate, so there is a dynamic "damping" effect, eventually blocking the IP
totally after a certain threshold, but that's ideal, a simple blocking
algorithm will suffice.

I apologize for my newness to Unix security. It seems logical to me that
there must be a well-known, open-source security tool that provides this
sort of defence. If not, then I may be forced to take Michael's good
advice.



"Dave Hinz" <DaveHinz@spamcop.net> wrote in message
news:2na8faFuias4U1@uni-berlin.de...

> On Tue, 03 Aug 2004 19:34:04 GMT, Chris Fortune <> wrote:

> > Very funny.

>
> Please don't top-post, and I don't think he was joking.
>

> > Do you know of a log audit program that detects these kinds of
> > attacks, and then alters system-wide IP blocking rules, for example?

>
> Yes. Would you like to tell us anything at all about your environment
> so we can formulate relevant answers, or is this just a general question,
> or what's the situation? Have you googled? What did you find there
> that does or doesn't help?
>
>
>

[Michael Heiming]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NotDashEscaped: You need GnuPG to verify this message

In comp.unix.admin Chris Fortune <hey.spammer...just.get@job.org> suggested:

( Please stop top-posting as Dave already pointed out. )

> Thanks. Linux RH8, Apache, it's a web server dedicated to
> anti-spam/anti-virus pop-forward & filter services. It's getting attacked

RH8 is already outdated and one shouldn't run it with ports
opened to the internet, if at all. You need to plan on upgrading
to a recent distro with patches available.

> by the usual script kiddies, who occasionally bang it with thousands of
> login attempts per hour.

> I found Snort [url]http://www.snort.org/[/url], and have been struggling to write rules
> and control IP suppression automatically based on a behaviour of
> "repetition". Looking at the system logs, I see that only a handful of IP
> addresses need to access my server repetitively, and so I would like to

Why not simply allow this few IP, or the network, if those are
dynamic and simply block anything else with iptables. Should be
much easier then anything else that sounds as if it would
require some experience.

--
Michael Heiming - RHCE (GPG-Key ID: 0xEDD27B94)
mail: echo [email]zvpunry@urvzvat.qr[/email] | perl -pe 'y/a-z/n-za-m/'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBD/WVAkPEju3Se5QRArajAJ9OJRDPkyKfUKmSmHUXKXsVMGScKACg whC/
AGDOVcsUjQ+899YYDihqb/s=
=ODr8
-----END PGP SIGNATURE-----

[Dave Hinz]

On Tue, 03 Aug 2004 20:10:41 GMT, Chris Fortune <> wrote:

> Thanks. Linux RH8, Apache, it's a web server dedicated to

FFS, DON'T FREAKING TOP-POST.