Wiki source for DNSBlockList
**Autoblock**
By Jeff Taylor (Shdwdrgn)
----
This page describes how to use autoblock, a simple bash script program, to temporarily block abusive IP addresses from a server. Based on a simple set of rules, any IP address which breaks those rules will be banned for a specified period of time.
To use these scripts, we will need the following:
* A *nix server
* bash
* iptables
* syslogd / klogd
* hc-cron
* logrotate
This page will be focusing on a server which is running ""Bind9"". If you are not using autoconf for that purpose, you can ignore those sections below.
**Please Note:** The autoblock script assumes it is the only thing making use of iptable on the server, and wipes existing rules before setting up it's own!
----
To begin, create a folder for the main scripts.
%%# mkdir /etc/autoconf%%
Copy the scripts into that folder:
[[AutoBlockSH | autoblock]] v20060120
[[AutoBlockRules | autoblock.rules]]
[[AutoBlockCleanup | cleanup]] v20060120
Now we need something for the script to look at. We are going to be filtering on two different types of events. The first will be attempted SSH breakins. The second will be abusive DNS requests. Both types of events are going to be routed to the file /var/log/filter.
Syslogd gives us an easy way to monitor SSH login attempts. Edit the file /etc/syslog.conf and add the following line:
%%auth.* /var/log/filter%%
Restart syslogd, and SSH events should now be logged in /var/log/filter.
To log events in Bind, we need to edit /etc/bind/named.conf and add the following:
%%logging {
channel filter_syslog {
file "/var/log/filter";
print-time yes;
print-category yes;
print-severity yes;
};
# category client { filter_syslog; };
# category config { filter_syslog; };
# category default { filter_syslog; };
# category general { filter_syslog; };
category lame-servers { filter_syslog; };
# category network { filter_syslog; };
# category notify { filter_syslog; };
# category queries { filter_syslog; };
# category resolver { filter_syslog; };
# category security { filter_syslog; };
# category update { filter_syslog; };
# category xfer-in { filter_syslog; };
# category xfer-out { filter_syslog; };
};%%
Note there are a large number of events that can be logged here, however we are only interested in one type (but rules could be added to take advantage of the other types). If Bind is restarted, we will now see queries for non-existent domains being logged in /var/log/filter.
----
With the monitoring in place, we can start up autoblock and verify everything is working.
%%# /etc/autoblock/autoblock &%%
If you want to monitor the logged events, type this:
%%# tail -f /var/log/filter%%
Try connecting to the server via SSH, but use an invalid username or password. We will see these attempts in the filter log as "...Failed password for username...". Take a look at /etc/blocklist. We should see an entry for the IP we attempted to connect from - "# 192.168.0.101". Any entries in this file with leading hash marks means there was a hit against our rule set. The hash marks act as counters for each hit, and when that IP exceeds a specified threshold, the hash marks will be removed and an entry added to iptables to block this address.
----
Now that we have the script running, it's time to perform some automated cleanup. First, we need to expire old entries from /etc/blocklist. To do this, add an entry to /etc/crontab
%%* * * * * root /etc/autoblock/cleanup%%
Restart crond. Once a minute, this script will check the timestamp on entries in /etc/blocklist and remove anything that has expired. If there was an iptables block matching the entry, that IP will be removed as well.
We also want to rotate the filter log so it doesn't grow too large. Create a new file /etc/logrotate.d/filter
%%/var/log/filter {
missingok
postrotate
/usr/bin/killall -HUP named 2> /dev/null || true
endscript
}%%
----
Everything is place and running now, so lets take a closer look at how it works...
**autoblock.rules**
Each rule in this file has a number of configuration parameters which can appear in any order.
* info = Comments about this rule
* time = Given in sec/min/hours/days
* match = String match, use | to separate multiple matches
* source = Default is "SRC="
* hits = Number of hits to exceed before IP is blocked
* hittime = Time limit for hits to accumulate
* domain = Quickblock rule
Let's take a look at one of the rules:
%%SSH_Attack {
info = Brute force attack on SSH
time = 7days
match = sshd|: Failed password for
hits = 4
hittime = 1mins
source = from
}%%
Match defines the strings we look for on each line of /var/log/filter. In this case, we will require matching two strings (separated by the | pipe). It looks for "sshd", then it looks for ": Failed password for". If both strings are found, the rule will be processed.
Next we want to know who is attacking us. The source line tells us the IP address will be immediately after the string "from"
Hits and hittime will give us the frequency of attack before we block this IP. In this case we will block if there are 4 hits, each occurring less than 1 minute apart. (This means all of the hits will occur within a 4-minute period, NOT that all four hits will occur in 1 minute.)
And finally, once we know that we are going to block this IP, we look at time. If someone is blatantly attacking, we probably don't care for any traffic from them, so for this rule we will block the offender for 7 days.
Note that time and hittime can be specified in seconds, minutes, hours or days (sec/min/hours/days).
There is one addition parameter - domain. This is a special-case rule created for DNS abuse which looks for the same information being requested simultaneously from multiple IP's. For example, when multiple spambots are instructed to begin a spam-run, they will all be using the same list of email addresses to send to. The result of this is that our filter log will show several IP addresses requesting the same non-existent domain name at nearly the same time. The domain parameter has two parts, separated by a pipe, which encloses the domain name being requested. For example:
lame server resolving '|'
To trigger the quick-block rule, 2 of the last 5 entries in the filter log, each with unique IP addresses, must have requested a lookup of the same domain. This event is nearly impossible under normal internet usage, however it happens quite frequently with spambots are running. When this event is triggered, both IP addresses will be blocked immediately for the length of time specified in the rule.
----
CategoryDNSBlockList
By Jeff Taylor (Shdwdrgn)
----
This page describes how to use autoblock, a simple bash script program, to temporarily block abusive IP addresses from a server. Based on a simple set of rules, any IP address which breaks those rules will be banned for a specified period of time.
To use these scripts, we will need the following:
* A *nix server
* bash
* iptables
* syslogd / klogd
* hc-cron
* logrotate
This page will be focusing on a server which is running ""Bind9"". If you are not using autoconf for that purpose, you can ignore those sections below.
**Please Note:** The autoblock script assumes it is the only thing making use of iptable on the server, and wipes existing rules before setting up it's own!
----
To begin, create a folder for the main scripts.
%%# mkdir /etc/autoconf%%
Copy the scripts into that folder:
[[AutoBlockSH | autoblock]] v20060120
[[AutoBlockRules | autoblock.rules]]
[[AutoBlockCleanup | cleanup]] v20060120
Now we need something for the script to look at. We are going to be filtering on two different types of events. The first will be attempted SSH breakins. The second will be abusive DNS requests. Both types of events are going to be routed to the file /var/log/filter.
Syslogd gives us an easy way to monitor SSH login attempts. Edit the file /etc/syslog.conf and add the following line:
%%auth.* /var/log/filter%%
Restart syslogd, and SSH events should now be logged in /var/log/filter.
To log events in Bind, we need to edit /etc/bind/named.conf and add the following:
%%logging {
channel filter_syslog {
file "/var/log/filter";
print-time yes;
print-category yes;
print-severity yes;
};
# category client { filter_syslog; };
# category config { filter_syslog; };
# category default { filter_syslog; };
# category general { filter_syslog; };
category lame-servers { filter_syslog; };
# category network { filter_syslog; };
# category notify { filter_syslog; };
# category queries { filter_syslog; };
# category resolver { filter_syslog; };
# category security { filter_syslog; };
# category update { filter_syslog; };
# category xfer-in { filter_syslog; };
# category xfer-out { filter_syslog; };
};%%
Note there are a large number of events that can be logged here, however we are only interested in one type (but rules could be added to take advantage of the other types). If Bind is restarted, we will now see queries for non-existent domains being logged in /var/log/filter.
----
With the monitoring in place, we can start up autoblock and verify everything is working.
%%# /etc/autoblock/autoblock &%%
If you want to monitor the logged events, type this:
%%# tail -f /var/log/filter%%
Try connecting to the server via SSH, but use an invalid username or password. We will see these attempts in the filter log as "...Failed password for username...". Take a look at /etc/blocklist. We should see an entry for the IP we attempted to connect from - "# 192.168.0.101". Any entries in this file with leading hash marks means there was a hit against our rule set. The hash marks act as counters for each hit, and when that IP exceeds a specified threshold, the hash marks will be removed and an entry added to iptables to block this address.
----
Now that we have the script running, it's time to perform some automated cleanup. First, we need to expire old entries from /etc/blocklist. To do this, add an entry to /etc/crontab
%%* * * * * root /etc/autoblock/cleanup%%
Restart crond. Once a minute, this script will check the timestamp on entries in /etc/blocklist and remove anything that has expired. If there was an iptables block matching the entry, that IP will be removed as well.
We also want to rotate the filter log so it doesn't grow too large. Create a new file /etc/logrotate.d/filter
%%/var/log/filter {
missingok
postrotate
/usr/bin/killall -HUP named 2> /dev/null || true
endscript
}%%
----
Everything is place and running now, so lets take a closer look at how it works...
**autoblock.rules**
Each rule in this file has a number of configuration parameters which can appear in any order.
* info = Comments about this rule
* time = Given in sec/min/hours/days
* match = String match, use | to separate multiple matches
* source = Default is "SRC="
* hits = Number of hits to exceed before IP is blocked
* hittime = Time limit for hits to accumulate
* domain = Quickblock rule
Let's take a look at one of the rules:
%%SSH_Attack {
info = Brute force attack on SSH
time = 7days
match = sshd|: Failed password for
hits = 4
hittime = 1mins
source = from
}%%
Match defines the strings we look for on each line of /var/log/filter. In this case, we will require matching two strings (separated by the | pipe). It looks for "sshd", then it looks for ": Failed password for". If both strings are found, the rule will be processed.
Next we want to know who is attacking us. The source line tells us the IP address will be immediately after the string "from"
Hits and hittime will give us the frequency of attack before we block this IP. In this case we will block if there are 4 hits, each occurring less than 1 minute apart. (This means all of the hits will occur within a 4-minute period, NOT that all four hits will occur in 1 minute.)
And finally, once we know that we are going to block this IP, we look at time. If someone is blatantly attacking, we probably don't care for any traffic from them, so for this rule we will block the offender for 7 days.
Note that time and hittime can be specified in seconds, minutes, hours or days (sec/min/hours/days).
There is one addition parameter - domain. This is a special-case rule created for DNS abuse which looks for the same information being requested simultaneously from multiple IP's. For example, when multiple spambots are instructed to begin a spam-run, they will all be using the same list of email addresses to send to. The result of this is that our filter log will show several IP addresses requesting the same non-existent domain name at nearly the same time. The domain parameter has two parts, separated by a pipe, which encloses the domain name being requested. For example:
lame server resolving '|'
To trigger the quick-block rule, 2 of the last 5 entries in the filter log, each with unique IP addresses, must have requested a lookup of the same domain. This event is nearly impossible under normal internet usage, however it happens quite frequently with spambots are running. When this event is triggered, both IP addresses will be blocked immediately for the length of time specified in the rule.
----
CategoryDNSBlockList
