Hello list members, Over the past 12 hours my firewall box has had over 300 hits to port 1434 from numerous ip''s. I ran tcpdump on a couple of them and it looks like the ms-sql exploit attempt. I don''t use ms-sql. I''ve always gotten a few hits per day, but now it''s gotten out of control. I use logcheck to email the system logs to me and at this rate by the time I get back in the office on Monday I''ll probably have over a thousand email''s. Rather than just having logcheck ignore port 1434 in the logs I was thinking perhaps if I just blacklisted the offending ip''s I''d deter them for good. I started doing this but after typing ''shorewall drop <ip>'' and ''shorewall save'' about 10 times I thought there must be a better way. Could anyone offer any advice such as automagic scripts that can grep the logs and issue the command to blacklist the ip''s? Any and all comments or advice would be greatly appreciated. If any further information is needed I''d be happy to provide it. Thanks.
--On Saturday, January 25, 2003 12:48 PM -0500 itdamager@cox.net wrote:> > Could anyone offer any advice such as automagic scripts that can grep the > logs and issue the command to blacklist the ip''s? > > Any and all comments or advice would be greatly appreciated. If any > further information is needed I''d be happy to provide it. >You can do what I did -- in /etc/shorewall/blacklist: 0.0.0.0/0 tcp 1433 0.0.0.0/0 udp 1434 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
--On Saturday, January 25, 2003 9:50 AM -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > --On Saturday, January 25, 2003 12:48 PM -0500 itdamager@cox.net wrote: > >> >> Could anyone offer any advice such as automagic scripts that can grep the >> logs and issue the command to blacklist the ip''s? >> >> Any and all comments or advice would be greatly appreciated. If any >> further information is needed I''d be happy to provide it. >> > > You can do what I did -- in /etc/shorewall/blacklist: > > 0.0.0.0/0 tcp 1433 > 0.0.0.0/0 udp 1434 >You of course also need ''blacklist'' specified on your external interface and I recommend these in /etc/shorewall/shorewall.conf: BLACKLIST_DISPOSITION=DROP BLACKLIST_LOGLEVEL -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> You can do what I did -- in /etc/shorewall/blacklist: > > 0.0.0.0/0 tcp 1433 > 0.0.0.0/0 udp 1434 ># rpm -qa shorewall shorewall-1.3.2-1 That feature is worth an immediate upgrade... Thanks Tom!
--On Saturday, January 25, 2003 1:13 PM -0500 itdamager@cox.net wrote:>> You can do what I did -- in /etc/shorewall/blacklist: >> >> 0.0.0.0/0 tcp 1433 >> 0.0.0.0/0 udp 1434 >> > ># rpm -qa shorewall > shorewall-1.3.2-1 > > That feature is worth an immediate upgrade... >The ability to blacklist by protocol and port was added in Shorewall 1.3.8. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: teastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
This is an Internet wide attack. MS SQL Server Worm Wreaking Havoc http://slashdot.org/articles/03/01/25/1245206.shtml?tid=109 On Sat, 2003-01-25 at 09:48, itdamager@cox.net wrote:> Over the past 12 hours my firewall box has had over 300 hits to port > 1434 from numerous ip''s. I ran tcpdump on a couple of them and it > looks like the ms-sql exploit attempt. I don''t use ms-sql. I''ve always > gotten a few hits per day, but now it''s gotten out of control. > > I use logcheck to email the system logs to me and at this rate by the > time I get back in the office on Monday I''ll probably have over a > thousand email''s. > > Rather than just having logcheck ignore port 1434 in the logs I was > thinking perhaps if I just blacklisted the offending ip''s I''d deter > them for good. I started doing this but after typing ''shorewall drop > <ip>'' and ''shorewall save'' about 10 times I thought there must be a > better way. > > Could anyone offer any advice such as automagic scripts that can grep > the logs and issue the command to blacklist the ip''s? > > Any and all comments or advice would be greatly appreciated. If any > further information is needed I''d be happy to provide it.-- Mike Noyes <mhnoyes @ users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/
> You can do what I did -- in /etc/shorewall/blacklist: > > > > 0.0.0.0/0 tcp 1433 > > 0.0.0.0/0 udp 1434 >And "you need Shorewall 1.3.8 or later for that to work..." ;)> -- > VETSEL Patrice > > Forum d''aide DEBIAN Francophone sur : http://kagou.tuxfamily.org/
On Saturday 25 January 2003 10:50 am, Tom Eastep wrote:> --On Saturday, January 25, 2003 12:48 PM -0500 itdamager@cox.net wrote: > > Could anyone offer any advice such as automagic scripts that can grep the > > logs and issue the command to blacklist the ip''s? > > > > Any and all comments or advice would be greatly appreciated. If any > > further information is needed I''d be happy to provide it. > > You can do what I did -- in /etc/shorewall/blacklist: > > 0.0.0.0/0 tcp 1433 > 0.0.0.0/0 udp 1434 > > -TomFYI: The following is a list of SQL server ports: ms-sql-s 1433/tcp #Microsoft-SQL-Server ms-sql-s 1433/udp #Microsoft-SQL-Server ms-sql-m 1434/tcp #Microsoft-SQL-Monitor ms-sql-m 1434/udp #Microsoft-SQL-Monitor -- Sed quis custodiet ipsos custodes? =========================================================================Robin Lynn Frank - Director of Operations - Paradigm-Omega, LLC Copyright and PGP/GPG info in mail or message headers. Email acceptance policy at http://paradigm-omega.com/email_policy.html ==========================================================================