This conversation has reminded me of something I started writing several
times in the past 8 months or so, an apache module to handle blocking /
notifying of infected hosts. While i appreciate what EarlyBird does, I
think it's implementation could be improved (ie, grep'ing through a flat
file to see if a host has been blocked / notifyed before). So I started
on this module in perl. Initially, i had a configuration file that was
read in upon startup containing regexes matching .exe/.ida/../../../ /
etc. I went through a couple of versions using different methods to log
previous attacks so that the same admin wasn't notified multiple times
(flatfile originally, then berkeley db, then mysql), and then I stopped.
The average admin isn't going to want to run mysql (or any other db
daemon) on their box simply to not have to parse through webserver logs
anymore. So i think i'm going to go back and rewrite based on berkeley
db again. This is a request for input on what features you (admins)
would like / appreciate / wish for. Currently, this module does the
following:
1) logs the attack, and provides a event based handler for responding
(ie, firewall rules, realtime email/monitoring notification,
counterattack, etc)
2) once a night (via cron), the db is parsed, and email to admins is
prepared. No admin/abuse contact recieves more than one email per night
(all hosts from that netblock are condensed into one report), and no one
is notified about a host more than once per week. These are all
configurable (not easily yet). There's also a email template file that
you can edit. the code that looks up admins via arin/apnic/etc is
currently real dirty; this actually has been the most difficult task
involved in the project.
And that's that. suggestions? ideas? one thing i was bouncing around was
a cgi-generated page that allows you to choose who gets notified and who
doesn't (like spamcop). I'm nervous about sending email unattended, even
though i've tested it a bit. So i'll probably have this ready for public
review sometime this weekend. I doubt i can get it in the Apache::
namespace though, but i'll let you all know when it's up in my cpan
directory. It may take longer than this because 1) i'm moving this week,
2) i have no dsl at my new place, and 3) i'm in the middle of a launch
at my day job, but we'll see.
-jon
--
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."
times in the past 8 months or so, an apache module to handle blocking /
notifying of infected hosts. While i appreciate what EarlyBird does, I
think it's implementation could be improved (ie, grep'ing through a flat
file to see if a host has been blocked / notifyed before). So I started
on this module in perl. Initially, i had a configuration file that was
read in upon startup containing regexes matching .exe/.ida/../../../ /
etc. I went through a couple of versions using different methods to log
previous attacks so that the same admin wasn't notified multiple times
(flatfile originally, then berkeley db, then mysql), and then I stopped.
The average admin isn't going to want to run mysql (or any other db
daemon) on their box simply to not have to parse through webserver logs
anymore. So i think i'm going to go back and rewrite based on berkeley
db again. This is a request for input on what features you (admins)
would like / appreciate / wish for. Currently, this module does the
following:
1) logs the attack, and provides a event based handler for responding
(ie, firewall rules, realtime email/monitoring notification,
counterattack, etc)
2) once a night (via cron), the db is parsed, and email to admins is
prepared. No admin/abuse contact recieves more than one email per night
(all hosts from that netblock are condensed into one report), and no one
is notified about a host more than once per week. These are all
configurable (not easily yet). There's also a email template file that
you can edit. the code that looks up admins via arin/apnic/etc is
currently real dirty; this actually has been the most difficult task
involved in the project.
And that's that. suggestions? ideas? one thing i was bouncing around was
a cgi-generated page that allows you to choose who gets notified and who
doesn't (like spamcop). I'm nervous about sending email unattended, even
though i've tested it a bit. So i'll probably have this ready for public
review sometime this weekend. I doubt i can get it in the Apache::
namespace though, but i'll let you all know when it's up in my cpan
directory. It may take longer than this because 1) i'm moving this week,
2) i have no dsl at my new place, and 3) i'm in the middle of a launch
at my day job, but we'll see.
-jon
--
jon@divisionbyzero.com || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
"You are in a twisty little maze of Sendmail rules, all confusing."