There can be problems with the destination file
. A solution can be found in the post handle xt_recent from syslog-ng.
Due to numerous connects of outdated clients on my clamav-mirror (> 300,000 / day), i add single IP temporarily to the firewall.
Requirements:
Configure Apache HTTP-Server
The Access Log of apache must send to syslog-ng:
LogFormat "%v %h %l %u %t \"%r\" %>s %B \"%{Referer}i\" \"%{User-Agent}i\"" mirrorlog
CustomLog "| /bin/logger -t apache2" mirrorlog
As long as the log file runs only through the pipe, no entries are stored. The configuration used here evaluates merely the log file. To receive an Access Log as a file, you must extend either syslog-ng by a destination or the apache-config by a CustomLog.
Configure syslog-ng
As we send the acces-log due logger direct to syslog-ng, it´s available via the normal source ‘internal’.
parser pattern_db { db_parser ( file(/usr/local/var/patterndb.xml)); }; destination deny-mirror { file("/proc/net/xt_recent/clamav-403" template("+${APACHE.SRC-IP}\n")); }; filter f_mirror { match("database.clamav.net" value(".apache.domain")) and match ("403" value(".apache.request_status")); }; log { source(src); parser(pattern_db); filter(f_mirror); destination (deny-mirror); };
As every message runs through the parser pattern_db, we also need a pattern-db-file from syslog-ng with the following content:
(when you won´t use the pattern-db, you can also use the csv-parser from here)
<?xml version='1.0' encoding='UTF-8'?>
<patterndb version='3' pub_date='2011-07-06'>
<ruleset id='1fba26d756011614557cf496fed7b5c0' name='apache'>
<pattern>apache2</pattern>
<rules>
<rule class='apache.access_log' id='019045a7383c252e57c20435ae5bf86c' provider='fs'>
<patterns>
<pattern>@ESTRING:.apache.domain: @@IPv4:.apache.client_ip@ @ESTRING:.apache.ident_name: @@ESTRING:.apache.user_name: @@QSTRING:.apache.timestamp:[]@ @QSTRING:.apache.request_url:"@ @NUMBER:.apache.request_status@ @NUMBER:.apache.content_length@ @QSTRING:.apache.referer:"@ @QSTRING:.apache.user_agent:"@</pattern>
</patterns>
<tags>
<tag>httpd</tag>
<tag>IPv4</tag>
</tags>
</rule>
</rules>
</ruleset>
</patterndb>
Configure iptables
iptables -N clamav-403
iptables -A INPUT -p tcp --dport 80 -m recent --rcheck --name clamav-403 --seconds 3600 --hitcount 5 -j DROP
How it works
Syslog-ng filters apache messages with the contents database.clamav.net and 403. As destination /proc/net/xt_recent/clamav-403 is defined. The template adds the IP to the firewall. With reach from “hitcount” the IP is blocked “seconds”.
If you replace the _rcheck_ here with an _update_ statement, the block will last even longer. The _rcheck_ option means: we will block you for the next hour. While _update_ means: we don’t want to see you for an hour, but if we see you again during this time, we’ll block you again. It means that you actually need to be quiet for 60 minutes to be able to log in again.
By default xt_recent stores 100 IP addresses. You can change the limit with “modprobe ipt_recent ip_list_tot=10000” (here 10000). This is only possible before the first iptables rule is put on.
Use
chmod 600 /sys/module/xt_recent/parameters/ip_list_tot
echo 10000 > /sys/module/xt_recent/parameters/ip_list_tot
chmod 400 /sys/module/xt_recent/parameters/ip_list_tot
to change ip_list_tot “on-the-fly”
Possibly related posts: (automatically generated)
- Related posts on apache
- Compiling httpd-2.2.16 and php-5.3.3 on Mac OS X 10.6.4
Pingback: fail2ban mit xt_recent | florian @it