[time] abusive clients

Adrian von Bidder avbidder
Thu Dec 23 13:45:54 UTC 2004 

Yo!

It's been silent on this issue here on the list...

I'm using the script below to deny service to abusive clients.  It reacts 
quite slowly, I'm just running it twice a day.

It calls iptables to add firewall rules for abusive clients, and it removes 
firewall rules which have not hit a packet since the last time the script 
was run.

For the definition of 'abusive client', see the script :-)

The code is not well readable, I fear, but when you take into account that 
the last two projects I did any serious hacking were gcc and the pksd (PGP) 
keyserver, it's a walk in the sunshine ;-)

Using this script, it seems that some clients go away relatively quickly, 
while others won't go away.  The oldest rule on my firewall right now is
from Dec 8, which is when the server was started with an empty rulebase.

greetings & I'm looking forward to read all the comments when I'm back 
from holidays. Please only on the list, no cc:s to my private address.
-- vbi

(Oh, yeah, patches welcome, of course.  For future reference:
this script is svn rev 681)



===========
#! /usr/bin/perl -w

use strict;

open my $log, ">>", "/home/clockmaster/log.firewall"
    or die "opening log file: $!\n";


# remove all entries from ntp-filter with 0 counters
my @ntpfilter = `iptables -Z -xvnL ntp-filter`;
#my @ntpfilter = `iptables -xvnL ntp-filter`;
my (undef, $head) = splice(@ntpfilter, 0, 2);
pop @ntpfilter; # 'zeroing chain'
if ($head ne "    pkts      bytes target     prot opt in     out     source          destination         \n") {
    die "iptables version has changed, probably\n";
}
foreach my $f (@ntpfilter) {
    $f =~ s/^\s+//;
    my ($count, undef, undef, undef, undef,
        undef, undef, $remote, undef) = split /\s+/, $f;
    if ($count == 0) {
        print $log scalar localtime, " ntp-block unblock $remote\n";
        system "iptables -D ntp-filter -s $remote -j DROP";
    }
}

# run monlist
my @ntprun;
do {
    @ntprun = `ntpdc -n -c monlist 2>/dev/null`;
    #@ntprun = `ntpdc -n -c monlist`;
    if ($#ntprun == -1) {
        print $log scalar localtime, " ntp-block ntpdc: fail\n";
        sleep 20;
    }
} while ($#ntprun == -1);
print $log scalar localtime, " ntp-block ntpdc: success\n";

($head, undef) = splice(@ntprun, 0, 2);
if ($head ne "remote address          port local address      count m ver code avgint  lstint\n") {
    die "ntp version has changed, probably\n";
}

# go through monlist output and block everything with
#  - avg < 8
#  - last < 60
#  - count > 1000
foreach my $n (@ntprun) {
    my ($remote, undef, undef, $count,
        undef, undef, undef, $avg, $last) = split /\s+/, $n;
    if ($remote eq '127.0.0.1') {
        next;
    }
    if ($avg < 8 and $last < 60 and $count > 1000) {
        print $log scalar localtime,
            " ntp-block block $remote (count=$count, avg=$avg, last=$last)\n";
        system "iptables -A ntp-filter -s $remote -j DROP";
    }
}

close $log;
===========

-- 
featured link: http://fortytwo.ch/gpg/intro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 388 bytes
Desc: not available
Url : /mailman/pipermail/attachments/20041223/658bef15/attachment.pgp

More information about the pool mailing list