| |
| |
| |
|
Comments:
<0> So, I hear there are more incompatibility issues with 2.6.16 prereleases? I need to move a server from 2.4 to 2.6, should I stay with 2.6.15.4 to be safe?
<1> 2.6.16 has a whole new netfilter backend, but I think they still have the old one working
<1> but I haven't seen any incompatability issues yet (with IPv4) and I'm using 2.6.16
<0> I do wish they'd quit treating 2.6 as a development branch. I'd like to see it stabilize. :)
<2> startkeylogger
<1> Rawplayer: looks like nobody's using Norton
<3> Anit-virus shmanti-virus.
<2> hmm in other channels people quited at the same timestamp ;)
<3> Although I did see what is supposedly a new worm for Linux, that exploits a vuln in Mamba and PHP to install a rootkit which gives remote access via IRC.
<3> Now if we just had more games, we'd have everything Windows does.
<3> Mare.D for those who are curious.
<1> that only works if you allow your webserver to make new connections to the internet
<3> I don't use either anyway.
<3> Perl > PHP.
<1> neither do I
<0> what's Mamba?
<4> hazard: Url?
<3> TmBerg: www.hackinthebox.org is where I saw it, you can get a link from there to the actual article.
<4> Thnkz.
<0> interesting :)
<3> Every once in a while it stagnates, but in general I find quite a few interesting articles by starting there.
<5> I need to block the following IPs. Most of them are in the same subnet. What's the best way to do this, vs. doing them all one at a time?
<5> http://code.gnu-designs.com/Slurp_abuse.txt
<5> Like 72.30.0.0/8 or something?
<5> There are 462 of them, was 458 a minute ago, they're climbing
<5> -A INPUT -s 72.30.0.0/255.255.0.0 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
<5> that sort of works, I guess
<5> I hate Yahoo for their broken, misconfigured spiders
<5> They slam us with 462 concurrent spiders all at once
<6> hmmm, sounds not very nice
<5> One range of spiders grabs robots.txt, which explicitly blocks Slurp and friends, the other 450 or so don't even talk to the first ones who read robots.txt, and they just spider everything, cvsweb, mailing lists, binary files, all of it.
<5> So its like they have one set harvesting robots.txt, which the other hundreds of spiders conveniently ignore
<5> I blocked all of msnbot for a very similar reason, the whole /24
<5> These companies shouldn't employ children to write their spiders
<6> setuid, you can also deny them in the apache config based on useragent...
<5> IVS: I tried that, it didn't work
<6> hmmm, why?
<5> BrowserMatch "Slurp" go_away
<5> That kind of stuff?
<5> Then I have:
<5> Deny from env=go_away
<5> in my stanzas for the roots
<5> Doesn't work, they just get in anyway
<6> i'm not an expert, but i know for sure that it's possible to keep out clients with certain useragent-strings...
<5> Is there an upper limit on the number of rules I can have in iptables?
<5> # iptables-save | grep "dport 25" | wc -l
<5> 1453
<5> # iptables-save | grep "dport 80" | wc -l
<5> 401
<5> IVS: I'll poke the #apache folks in a bit about that
<6> setuid, bad performance is probably the limit, i'm not aware of an exact number...
<5> Ok
<6> it seems reasonable that there is one, though... probably some power of 2... :-)
<1> you could use ipset, I think that might be faster than running through a linear set of rules
<5> danieldg: What is that?
<1> ipset.netfilter.org - kernel patch required
<5> hrm
<5> ah
<5> I wish I could do this with a timed delay, so the rule would be auto-removed after 'n' seconds/hours/days
<5> There's no clear way to do that right now
<1> the recent module *might* be able to simulate that
<1> add by echo ip> /proc/net/ipt_recent/NOSMTP
<1> then have a --seconds for the timeout
<1> that's not really what it's for, but it will work for that
<5> really?
<5> is that a pom?
<1> no, it's in kernel
<5> I'll take a look
<1> you'll have to increase the ip_list_tot parameter from 100 to like 2000
<5> What about something like:
<5> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
<5> --update --seconds 60 --hitcount 4 -j DROP
<1> but it uses a hash table, so it's fast
<5> ..but on port 80
<1> that would break normal clients
<5> Well, I'd set it to something like 50 or so
<1> are the bots hammering the server that hard?
<1> (to set it to 50, you'd have to modify another parameter)
<5> danieldg: Yes
<5> We've got hundreds of bots hitting us all the time, msnbot, yahoo, googlebot, and all the misconfigured rss readers out there
<5> I've got the revisit/cache/etc. values to >2 weeks, and we get _thousands_ of hits per-day from each client
<1> you'll need to set ip_pkt_list_tot to at least the value of --hitcounts
<1> and ip_list_tot to the number of IPs to block
<5> I'll have to look into that
<5> I wish someone would smack the hell out of these people writing rss readers/aggregators, and tell them to follow the fscking specifications for the standard
<5> If-Modified-Since: Sun, 27 Feb 2005 20:51:51 GMT
<5> Last-Modified: Sun, 27 Feb 2005 20:51:51 GMT
<5> # grep rss.pl access.log| wc -l
<5> 4596
<5> And from yesterday's log:
<5> # grep rss.pl access.log.0| wc -l
<5> 1971
<5> its pretty disgusting
<7> guys do you think HTTP requests mangling could be easily done with an apache module, or using iptables's queuing feature ?
<8> matth_: better use apache and mod_rewrite to do so
<7> oki, I'll look for that one (didn't know about it)
<9> yeah you want to do that on the application layer, and mod_rewrite is very powerful
<7> yeah that rulez
<7> thx for the ti
<7> p
<10> Hi all! My firewall is reporting this invalid package in logs: Feb 23 15:40:10 firepenguin kernel: FW-INVL: IN= OUT=eth0 SRC=10.1.1.236 DST=10.1.1.45 LEN=56 TOS=0x00 PREC=0xC0 TTL=64 ID=43272 PROTO=ICMP TYPE=11 CODE=0 [SRC=10.1.1.45 DST=207.26.131.137 LEN=28 TOS=0x00 PREC=0x00 TTL=1 ID=25559 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=42561 ]
<10> But 10.1.1.236 is my firewall interface and 10.1.1.45 is a user host, how can I discover which program, package does this?
<1> looks like from a traceroute
<10> but im not tracerouting noone.
<1> maybe someone is tracerouting you
<10> danieldg: and Im allowing all output packages from my firewall (policy)
<10> and everything new/related
<10> I will tcpdump a little
<1> it's an ICMP time exceeded message in reply to a TTL=1 packet
<1> that looks like an ICMP traceroute to me
<10> 15:42:41.700973 IP 10.1.1.45 > 207.26.131.137: icmp 8: echo request seq 7746
<10> 15:42:42.700933 IP 10.1.1.45 > 207.26.131.137: icmp 8: echo request seq 8002
<1> looks like 10.1.1.45 might be doing the traceroute
<10> yes,,
<10> I will check out
<10> but why the package is INVALID (I will show my iptables rule)
<10> $DEBUG $IPT -A OUTPUT -m state --state INVALID -j INVALIDOS
<10> $DEBUG $IPT -A INPUT -m state --state INVALID -j INVALIDOS
<10> $DEBUG $IPT -A FORWARD -m state --state INVALID -j INVALIDOS
<1> I'm not sure - it should be ESTABLISHED, or at least RELATED
<10> my first iptables rule is:
<10> $DEBUG $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<10> $DEBUG $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<10> $DEBUG $IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
<1> is the firewall 10.1.1.236?
<10> I will checkout the kernel connection table.
<10> yes it is
<1> that might be a bug in connection tracking
<10> I forgot the conn track file in /proc
<11> anyone here know of a good fw stats package?
<1> /proc/net/ip_conntrack iirc
<10> danieldg: thank you
<11> oh
<11> besides that?
<11> danieldg: thanks
<1> Roey: that was to Lin, but you're welcome ;)
<11> danieldg: :)
<10> there isn't anything about 10.1.1.45
<10> these log lines are pissing me off. It is one per second! =P
<1> Lin: that's probably because the ping entry expires too quickly to see in the conntrack
<1> um, you could just not log them...
<10> danieldg: I log all invalid package
<10> cause I want to see then. and discover..
<11> nf-HiPAC
<11> ?
<1> Lin: what kernel?
<10> 2.6.8
Return to
#iptables
or
Go to some related
logs:
ndiswrapper bcm4318 blinking ubuntu
#perl
howto acpi4asus ubuntu
#math
#postfix
#ubuntu
#centos
daveman davewoman
sudo yast
#css
|
|