1) TCP and UDP ports have nothing to do with each other, and HTTP is not implemented over UDP, so blocking TCP only is proper. 2) You're piping multi-line data into awk, which prints out one column of that data. At the command-line, though you rarely notice, multi-line data is treated just like data with spaces between them, so you end up with 10 IP address arguments on the command line there for 10 lines of CodeRed log data. Take a look at the 'xargs' command, which accepts stdin data and executes a command for each line of data it receives. 3) Due to #2, your `awk` command cannot complete until all of the data from stdin is received. Since the tail -f never exits, awk sits there waiting for more. The command line is never completed, so ipchains is never executed. You probably want something more like (untested, edit to taste and specific configuration): tail -f /var/log/messages | grep -i codered | grep -v proxy | \ awk '{ print $11 }' | cut -d: -f1 | \ xargs -i ipchains -A input -P tcp -s {}/32 -d 0/0 80 -i eth1 -j DENY But other posters have suggested already-written and already-proven techniques to accomplish the same goal. David -----Original Message----- From: Florian Piekert [mailto:floppyat_private] Sent: Friday, September 07, 2001 18:47 To: incidentsat_private Subject: code red attacks and real-time blackhole'ng my idea was as follows: #!/bin/bash tail -f /var/log/messages | grep -i "codered" | grep -iv proxy | awk '{print $11}' | awk -F : '{print $1}'| ipchains -A input -s i `awk '{print $1}'`/255.255.255.255 -d 0/0 80 -i eth1 -j DENY --protocol tcp Several problems now occur (for some of you probably trivialities): 1) the above port 80 blocking makes sense if tcp and udp are blocked or is tcp sufficient? 2) when I do a tail -n 1000 instead of the tail -f it ipchains bitches because he gets 1000 (not that many ofcourse) ip adresses at once but only wants _1_ argument, not a list. 3) when I do a tail -f nothing happens at all, without the ipchains command no output is generated at all even if new entries in /var/log/messages appear, but if I tail -n 1000 /var/log/messages and use the above pipes, I get a neat list of IP addresses... ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:53:58 PDT