One thing that could possibly be added (although not a big thing - im sure you have better things to do)
Would it be possible for you to add a command line trigger to lfd to generate a block report, as presently I can only test it by triggering an IP block by brute forcing/login fails (I understand this is because it is lfd and not csf that forks the process)
IP Deny logging to a database or post block/post remove hooks
Have just discovered one problem with the way this works (which you may or may not want to fix - it isnt a large issue - only PHP related)
I have been experimenting with the centralised database idea discussed previously in this thread, I have been using a PHP shell script to accept the data.
It all works fine and as expected, except for triggering suhosin's default variable name length limit (The actual block data) as below:
opposed to the current method:
Suhosin will then not trigger as the limit is on the variable name length, rather than the string value.
I have been experimenting with the centralised database idea discussed previously in this thread, I have been using a PHP shell script to accept the data.
It all works fine and as expected, except for triggering suhosin's default variable name length limit (The actual block data) as below:
Is there a way i can hack it to add switches with parameters rather than long strings, e.g:Oct 22 15:51:06 SERVERNAME suhosin[6314]: ALERT - configured request variable name length limit exceeded - dropped variable '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs' (attacker 'REMOTE_ADDR not set', file 'unknown')
Code: Select all
user@box# /path/to/script -b '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs'
Code: Select all
user@box# /path/to/script '6_(smtpauth)_login_failures_from_114_44_132_135_in_the_last_300_secs'
I am indeed, my intention is to develop a centralised block list and associated app for end users to query, however as I am doing this in my spare time it is only very rough atmrandy wrote:NIck,
Did you say you were putting this into a database? I would be interested to see how you are doing this, it would be a great thing to have for our users.
Randy
-
Kent Brockman
- Junior Member
- Posts: 78
- Joined: 26 May 2008, 16:57
- Contact:
Your idea sounds cool. It's cool to determine the origin IP's of recurrent port scanning and connection attempts. You may generate statistics on the frequency and procedence of them.
Also, you can use shellexce via php to see what's happening in real time.
You can generate a list of currently blocked IP's
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq
or just count how many IP's are being blocked in this moment:
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq | wc -l
I do use those commands from a hidden php file in one of the domains to check from my cell phone if something strange is happening and require urgent action (and if that is on fire, I call an emergency script from my cell phone with another hidden shellexec request that will turn off affected services, free memory, and restart them once the situation is under control).
Also, you can use shellexce via php to see what's happening in real time.
You can generate a list of currently blocked IP's
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq
or just count how many IP's are being blocked in this moment:
iptables -L LOCALINPUT -n | grep DROP | awk '{print $4}' | uniq | wc -l
I do use those commands from a hidden php file in one of the domains to check from my cell phone if something strange is happening and require urgent action (and if that is on fire, I call an emergency script from my cell phone with another hidden shellexec request that will turn off affected services, free memory, and restart them once the situation is under control).
-
NightRider
- Junior Member
- Posts: 2
- Joined: 05 Dec 2008, 10:08