Try coderedKiller: its PHP and a shell script for close to realtime code red blocking: Description: A nice PHP script and bash script that will, every five minutes, add all the IPs of code red infected servers that have attempted access to your server to a blackhole and iptables DROP chain. Very nice! Read more:http://genbukan.no-ip.com/download.php?op=viewdownloadeditorial&lid=42&ttitle=coderedKiller Download:http://genbukan.no-ip.com/download.php?op=getit&lid=42 --red0x On Friday 07 September 2001 16:46, you wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > Hi, > > some time ago I asked if somebody had any idea how to real-time blackhole > ip-adresses to port 80 with ipchains who try to set off the code red virus > variants. > > my idea was as follows: > > #!/bin/bash > tail -f /var/log/messages | grep -i "codered" | grep -iv proxy | awk > '{print $11}' | awk -F : '{print $1}'| ipchains -A input -s i `awk '{print > $1}'`/255.255.255.255 -d 0/0 80 -i eth1 -j DENY --protocol tcp > > Several problems now occur (for some of you probably trivialities): > > 1) the above port 80 blocking makes sense if tcp and udp are blocked or is > tcp sufficient? > > 2) when I do a tail -n 1000 instead of the tail -f it ipchains bitches > because he gets 1000 (not that many ofcourse) ip adresses at once but only > wants _1_ argument, not a list. > > 3) when I do a tail -f nothing happens at all, without the ipchains command > no output is generated at all even if new entries in /var/log/messages > appear, but if I tail -n 1000 /var/log/messages and use the above pipes, I > get a neat list of IP addresses... > > My questions: how can I get 2) to work? and then, how 3)? > > Any help would be greatly appreciated. > > > > > > > Florian Piekert floppy@floppy.{de,org,net} > > <simply private... need a key? MY PGPP key? eMail me....> > > Voice & Fax +1001000010100101011000110110001010110101100 > > PGP Public Key Fingerprint: 72E9 D42A 51E8 29CA EE42 6029 5EF6 E9AB > > -----BEGIN PGP SIGNATURE----- > Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and > its affiliated companies. > > iQCVAwUBO5lOYX4TBaVbilM9AQFfpQP+MCMWbR7ayUcFVbrAoeIe8asB+Msklv7J > wd7u8bu0wyhD7h9ZGug65jJeN+ynB2Yx5F8TWKAA36yJUy5v2cBjScIg0O48KOQV > GHWB5Jf+X9vVqjOuid0so0Zb0oVcEFr3cjxQHs7vDo1o2ZsQpiPqK/UpPnERepXr > c6NYpQKo3BY= > =FQU9 > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- --red0x ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 12:32:27 PDT