RE: How to keep record of repeat attackers?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Aldo S. Lagana" <alagana@discmail.com>
To: 'Bill Davidsen' <davidsen@tmr.com>,
	'George Chacon' <please.help.me@comcast.net>
Cc: netfilter@newkirk.us,
	'Netfilter Mailing List' <netfilter@lists.netfilter.org>
Subject: RE: How to keep record of repeat attackers?
Date: Thu, 13 Mar 2003 15:29:59 -0500	[thread overview]
Message-ID: <001001c2e99f$51792180$3864a8c0@discmail.com> (raw)
In-Reply-To: <Pine.LNX.3.96.1030313142253.32436A-100000@gatekeeper.tmr.com>

how about portsentry with snort?

portsentry is a simplistic (script kiddie) blocker that can add rules to
iptables dynamically - works good!  then you can peruse the DENY rules
to see how many times they attempted connections
and when the get too sophisticated for portsentry...
snort is also good since it keeps the list of attackers and there may be
good analyzers of the log files for snort..


> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> Bill Davidsen
> Sent: Thursday, March 13, 2003 2:34 PM
> To: George Chacon
> Cc: netfilter@newkirk.us; Netfilter Mailing List
> Subject: RE: How to keep record of repeat attackers?
> 
> 
> On Wed, 12 Mar 2003, George Chacon wrote:
> 
> > >>Your first problem is defining "offenders", then "repeat 
> offenders" 
> > >>and "attackers".  Do you mean simply to track everyone 
> who attempts 
> > >>to connect to you?  I presume you don't expect much if any 
> > >>legitimate incoming NEW traffic if this is the intent?
> > 
> > Thanks for the response Joel.  What I'd like to track are the IP 
> > addresses that get denied or rejected, and the deny/reject 
> rules that 
> > get accessed frequently.  In other words, I'd like to track 
> repeated, 
> > obvious, malicious connections.  I'd like to know if the 
> same person 
> > is relentlessly chipping away at my firewall, looking for 
> weaknesses.
> >
> > I'll take a look at http://ntop.org.  That looks pretty good.
> 
> It may do, but I would still keep LOG in mind. You can catch 
> just what you want, put a useful prefix on the message to 
> simplify analysis, and bang on it with a perl program.
> 
> One hint for quick and dirty values is to write as little 
> custom code as you can. I use perl to identify the offending 
> IPs and dump them to stdout, then something like:
>   perl getIP.pl mylog | sort | uniq -c | sort -n | tail -20
> 
> Emits the IP, sorts for uniq, output a count of how many 
> times the IP showed up, sorts on the count, and displays the 
> top 20 "worst offenders." Since this isn't something I often 
> do the same way twice, it works for me.
> 
> -- 
> bill davidsen <davidsen@tmr.com>
>   CTO, TMR Associates, Inc
> Doing interesting things with little computers since 1979.
> 
>

next prev parent reply	other threads:[~2003-03-13 20:29 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-13  1:20 How to keep record of repeat attackers? George Chacon
2003-03-13  3:24 ` Joel Newkirk
2003-03-13  7:19   ` George Chacon
2003-03-13  7:40     ` Joel Newkirk
2003-03-13  8:50       ` George Chacon
2003-03-13  9:19         ` Eric Leblond
2003-03-13 15:46           ` George Chacon
2003-03-13 19:34     ` Bill Davidsen
2003-03-13 20:29       ` Aldo S. Lagana [this message]
  -- strict thread matches above, loose matches on Subject: below --
2003-03-14 16:50 George Chacon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='001001c2e99f$51792180$3864a8c0@discmail.com' \
    --to=alagana@discmail.com \
    --cc=davidsen@tmr.com \
    --cc=netfilter@lists.netfilter.org \
    --cc=netfilter@newkirk.us \
    --cc=please.help.me@comcast.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.