Hello all,
I have been reviewing my "secure" log and see lots of activity. Most of the activity is from China or other country. What I al looking to do is have an aggressive blocking policy on my intrusion prevention. To date what I have been doing is going through the logs and manually adding all the IP addresses that have tried to attack my network. Some of the IP addresses were caught by the IPS and put on the block timer and some were not.
What I would like to do is permanently block any IP that shows up in my secure log. First, has anyone done this? If so is there an easy way? I assume I can write a script that would run as a cron to scan the log file for IP addresses, have it eliminate mine and add the rest to the firewall. However I am not sure if doing it this way will update ClearOS or cause trouble.
Since 90% of what is in that log is from bad traffic I would rather unblock the good traffic when it causes problem rather than let the bad traffic continue to attempt access.
Any information or guidance would be greatly appreciated.
Ryan
I have been reviewing my "secure" log and see lots of activity. Most of the activity is from China or other country. What I al looking to do is have an aggressive blocking policy on my intrusion prevention. To date what I have been doing is going through the logs and manually adding all the IP addresses that have tried to attack my network. Some of the IP addresses were caught by the IPS and put on the block timer and some were not.
What I would like to do is permanently block any IP that shows up in my secure log. First, has anyone done this? If so is there an easy way? I assume I can write a script that would run as a cron to scan the log file for IP addresses, have it eliminate mine and add the rest to the firewall. However I am not sure if doing it this way will update ClearOS or cause trouble.
Since 90% of what is in that log is from bad traffic I would rather unblock the good traffic when it causes problem rather than let the bad traffic continue to attempt access.
Any information or guidance would be greatly appreciated.
Ryan
Share this post:
Responses (5)
-
Accepted Answer
Have a read over this
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,7/func,view/id,10382/
Also covered here too
http://forums.overclockers.com.au/showthread.php?t=987733 -
Accepted Answer
-
Accepted Answer
I apologise, but I guess I should have also included how I use ClearOS and describe my network.
I pretty much use just about everything ClearOS has to offer. The ClearOS machine is pretty much my network gateway & router. It provides DHCP & NAT for the client machines as well as port forwards for my servers.
The servers include a
Web server with HTTP, HTTPS, POP3, POP3S, IMAP, IMAPS, FTP and SMTP ports forwarded to it
VOIP Server with Standard Client Ports & Port 90 (alternate HTTP) Forwarded
Standalone FTP/NAS box with High Range Ports forwarded (40000 & Higher)
Media/Torrent Server - Streaming internally only, but has constant traffic through Torrent Server
Also here are some snippets from the logs. A new occurrence which is concerning me is that it appears that some of the "attacks" are originating from my IP. Including the Brute Force and 403 entries. I have intentionally X'd through my IP
WEB-MISC robots.txt access [Classification: access to a potentially vulnerable web application] [Priority: 2]: {TCP} 66.249.68.78:59520 -> XX.XX.XX.XX:80
(http_inspect) BARE BYTE UNICODE ENCODING[Priority: 3]: {TCP} XX.XX.XX.XX:51032 -> 199.7.54.72:80
(portscan) TCP Portsweep[Priority: 3]: {PROTO:255} XX.XX.XX.XX -> 64.50.233.100
ATTACK-RESPONSES 403 Forbidden [Classification: Attempted Information Leak] [Priority: 2]: {TCP} XX.XX.XX.XX:80 -> 88.134.65.175:31979
ET SCAN Potential FTP Brute-Force attempt [Classification: Unsuccessful User Privilege Gain] [Priority: 1]: {TCP} XX.XX.XX.XX:21 -> 86.120.159.116:15700
There are about 200 of this entry an no block
ET SCAN Rapid POP3 Connections - Possible Brute Force Attack [Classification: Misc activity] [Priority: 3]: {TCP} 8.25.218.47:47710 -> XX.XX.XX.XX.XX:110
I Kept these two together, because they seem related. If anyone can help me figure what is going on I would appriciate that. It looks like I received a Brute Force attack coming in them my machine sent information back to the machine that attacked me. The second line was repeated about 30-40 times.
Mar 14 05:42:56 system snort[31355]: [1:3000002:5] FTP Potential Brute Force Attack [Classification: An attempted login using a suspicious username was detected] [Priority: 2]: {TCP} 174.142.192.219:35053 -> XX.XX.XX.XX.XX:21
Mar 14 05:42:57 system snort[31355]: [1:2002383:11] ET SCAN Potential FTP Brute-Force attempt [Classification: Unsuccessful User Privilege Gain] [Priority: 1]: {TCP} XX.XX.XX.XX.XX:21 -> 174.142.192.219:35053 -
Accepted Answer
First off remember that everything is implicitly blocked by default unless specifically allowed. What you are looking for is a "country block". Do an advanced search for older threads on this forum for the terms "country block" and you'll find some referenced. There is also plenty of stuff available on the internet with those terms.
I would avoid anything which adds rules to the forward, prerouting or postrouting chains and just stick to the input chain. If you are adding blocks yourself, rather than block an IP address do a whois on it and block the whole subnet. FWIW I block completely 58.0.0.0/7, 210.0.0.0/7, 218.0.0.0/7 and 220.0.0.0/6 which is a bit aggressive as there are a few small included subnets which are not Chinese. Unfortunately there are a lot more subnets you would need to block just to block China but there are a few nice scripts on the internet which will download lists and set up the iptables rules for you.
[edit]
Ugh. I left this thread open to reply to later. In the meanwhile Tim has replied with another take on the problem (but I am not sure it does a country block)
[/edit]
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »