Does anyone know of a script that can act as a "helper" for Shorewall''s dynamic blacklist capabilities? Briefly said, I''d like to know if someone already wrote a script/program that, e.g., parses log files (/var/log/messages, etc) and picks up for example all IP addresses that failed SSH login more than X times and then executes a command such as shorewall drop <iplist> ; shorewall save (a logdigest-type variant aimed at shorewall''s dynamic functionalities). By the way, how does one "reset" the dynamic blacklist to "reallow" everyone without specifying IPs? (shorewall allow?) Thanks __________________________________ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail
Vieri Di Paola wrote:>Does anyone know of a script that can act as a >"helper" for Shorewall''s dynamic blacklist >capabilities? > >Here is an (ugly sorry) archive of someone''s attempt: http://lists.shorewall.net/pipermail/shorewall-users/2003-July/007328.html I think port sentry is what you are looking for, with a bit of scripting on top. Alex Martin http://www.rettc.com
On Tue, 2004-12-14 at 07:55 -0800, Vieri Di Paola wrote:> > By the way, how does one "reset" the dynamic blacklist > to "reallow" everyone without specifying IPs? > (shorewall allow?) >There''s no single command to do that but the following works: iptables -nL dynamic | \ while read target ign1 ign2 address rest; do case $target in DROP|reject) iptables -D dynamic -s $address -j $target ;; *) ;; esac done If you use the ''save'' command, you''ll want to ''shorewall save'' after the above or the blacklist will reappear after the next ''shorewall -f start'' or ''shorewall restore''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
The obvious flaw with something like this would be a malicious attacker who is able to convince your script to blacklist your upstream router or some other equally critical piece of infrastructure (bastion loghost anyone?). If you automate your blacklisting, make sure to give it some sanity checks. On Tue, 14 Dec 2004 08:20:13 -0800, Tom Eastep <teastep@shorewall.net> wrote:> On Tue, 2004-12-14 at 07:55 -0800, Vieri Di Paola wrote: > > > > > By the way, how does one "reset" the dynamic blacklist > > to "reallow" everyone without specifying IPs? > > (shorewall allow?) > > > > There''s no single command to do that but the following works: > > iptables -nL dynamic | \ > while read target ign1 ign2 address rest; do > case $target in > DROP|reject) > iptables -D dynamic -s $address -j $target > ;; > *) > ;; > esac > done > > If you use the ''save'' command, you''ll want to ''shorewall save'' after the > above or the blacklist will reappear after the next ''shorewall -f start'' > or ''shorewall restore''. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Tue, 2004-12-14 at 08:20 -0800, Tom Eastep wrote:> On Tue, 2004-12-14 at 07:55 -0800, Vieri Di Paola wrote: > > > > > By the way, how does one "reset" the dynamic blacklist > > to "reallow" everyone without specifying IPs? > > (shorewall allow?) > > > > There''s no single command to do that but the following works: >Duh -- I made that too complicated: iptables -F dynamic also works :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key