[CLUE-Tech] Auto blocking hosts w/ iptables

[Dan Harris]

Hani Duwaik wrote:

>Hello,
>
>I'm looking for information regarding either of the following:
>
>1) A tool (script, application, module) that will monitor apache log
>files, detect attacks, and create an iptables rule to block traffic
>from offending hosts.
>
>2) A tool (or complete solution) that will take IDS logs and perform
>the same operation with iptables as described above.
>
>I'm running gentoo linux and have a personal website I am using.  In
>the few days I've had it up, I've noticed several compromise attempts
>(though they were mostly for IIS).  For various reasons, I can't change
>the port apache runs on.  As such, I'd to find a way to automatically
>block traffic from any host that tries to use known tools to compromise
>webservers.
>
>Any thoughts would be welcomed.
>  
>
I actually wrote a tool called Napalm which does exactly this.  It can 
be tweaked to scan any sort of log file and create iptables rules based 
on keywords or regular expression matches.  Not only that but you can 
synchronize multiple hosts' block files to create a 'trust' of people 
that maintain a distributed iptables block list or synchronize all of 
your boxes in response to an attack on any one of them.

However, in true geeky open-source solution, I have not written any 
documentation for it other than a --help screen.  But for some people 
that's enough.  I feel that it's very easy to use but I'm biased as the 
author, but I will be happy to provide help to anyone who wants to 
implement it and maybe make the project more official.

If someone is so inclined, they may download it from 
http://www.drivefaster.net/napalm/.  It requires perl's Config::General, 
and LWP ( www library for perl ) to operate.

Like I said, if anyone has interest in this project, I will put more 
effort into making it 'distributable'.  It's GPL-licensed.

-Dan