Shorewall devel - Jan 2002 - Wish list

While the subject is new features, here''s something I''d like
to see.
I''d like to have a way for shorewall to be able to monitor a log file
and take an action when a condition is met.  For instance, if Shorewall
could monitor /var/log/httpd/access_log for entries which I have defined
(and know to be an attack), and then take an action such as blacklisting
a host or domain (only for a certain length of time if possible), then
that would be VERY useful.
This functionality could also be useful for mail servers, ftp servers,
and just about anything else where you know what the attack looks like
in the logs.  For instance, I run a web server (not the one below, yet)
that is getting slammed by people infected with Nimda.  Logs show
multiple requests by the same client for "cmd.exe" and
"root.exe".
Sometimes there''s only one or two sessions of these requests, and
sometimes they keep coming back again and again.  Problem is, I don''t
have the time to scour the logs and blacklist clients manually, and even
If I did, the bandwidth has already been wasted and the threat may never
return anyway.  An auto-blacklisting solution like I described would be
much more effective.
Anyway, that''s what I''d like to see.

Sincerely,
Jim Hubbard
jimh@xlproject.com
Visit me online at www.XLProject.com

On Friday 18 January 2002 04:07 pm, Jim Hubbard wrote:
> While the subject is new features, here''s something I''d
like to see.
> I''d like to have a way for shorewall to be able to monitor a log
file
> and take an action when a condition is met.  For instance, if Shorewall
> could monitor /var/log/httpd/access_log for entries which I have defined
> (and know to be an attack), and then take an action such as blacklisting
> a host or domain (only for a certain length of time if possible), then
> that would be VERY useful.
> This functionality could also be useful for mail servers, ftp servers,
> and just about anything else where you know what the attack looks like
> in the logs.  For instance, I run a web server (not the one below, yet)
> that is getting slammed by people infected with Nimda.  Logs show
> multiple requests by the same client for "cmd.exe" and
"root.exe".
> Sometimes there''s only one or two sessions of these requests, and
> sometimes they keep coming back again and again.  Problem is, I
don''t
> have the time to scour the logs and blacklist clients manually, and even
> If I did, the bandwidth has already been wasted and the threat may never
> return anyway.  An auto-blacklisting solution like I described would be
> much more effective.
> Anyway, that''s what I''d like to see.
I think that Steve Cowles is working on something along these lines -- is=20
that correct Steve?

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Friday, January 18, 2002 6:21 PM
> To: jimh@xlproject.com; shorewall-devel@shorewall.net
> Subject: Re: [Shorewall-devel] Wish list
> 
> 
> On Friday 18 January 2002 04:07 pm, Jim Hubbard wrote:
> > While the subject is new features, here''s something
I''d
> > like to see. I''d like to have a way for shorewall to be
> > able to monitor  a log file and take an action when a
> > condition is met.  For instance, if Shorewall could
> > monitor /var/log/httpd/access_log for entries which I 
> > have defined (and know to be an attack), and then take
> > an action such as blacklisting a host or domain (only for
> > a certain length of time if possible), then that would be
> > VERY useful. This functionality could also be useful for
> > mail servers, ftp servers, and just about anything else
> > where you know what the attack looks like in the logs.
> >  For instance, I run a web server (not the one below, yet)
> > that is getting slammed by people infected with Nimda.
> >  Logs show multiple requests by the same client for
> > "cmd.exe" and "root.exe". Sometimes
there''s only one or
> > two sessions of these requests, and sometimes they keep
> > coming back again and again.  Problem is, I don''t have
> > the time to scour the logs and blacklist clients manually,
> > and even If I did, the bandwidth has already been wasted
> > and the threat may never return anyway.  An auto-blacklisting
> > solution like I described would be much more effective.
> > Anyway, that''s what I''d like to see.
> 
> I think that Steve Cowles is working on something along these 
> lines -- is that correct Steve?
As a matter of fact, I have been working on a slightly different approach to
solving the same problem. Right now, I have the entire Verizon network
4.0.0.0/8 (255**3) blacklisted on port 80 because I was getting thousands
upon thousands of Nimda probes a day.

My solution is based on a cron job approach which executes a shell script
that scans the current apache log file and compares each Nimda/Code Red
signature against my current blacklist file. If the ip address of a
Nimda/Code Red probe has not already been blacklisted, then I add (append)
this ip address to the current blacklist file. Then execute shorewall
refresh against the new blacklist. Although this is not real-time
monitoring, it should help in keeping my apache logfiles in a manageable
state.

So far, I have the shell script scanning and updating the blacklist file
working just fine, but I am now debating (with myself) on how best to
implement transferring my apache logfiles to my firewall system prior to
scanning by the shell script (my web server is located in a DMZ). i.e.
Should I use nfs, smb, sftp or even modify syslog.conf to duplicate apache
log entries on my firewall system''s logfiles. I''m leaning
towards the
latter, if possible. Unfortunately, I do not know if apache uses syslog to
make its log entries. 

If anyone is interested, I will be glad to post my solution to this annoying
Nimda problem on my website once I have a chance to test everything in a
real world environment. My goal is to have this entire solution working by
the end of this weekend. 

Steve Cowles