Results 1 to 14 of 14
  1. #1
    Join Date
    Jan 2005
    Posts
    2,203

    Blocked IPs, finding the causes

    I have APF with BFD and anti-dos. How do I find out the reasons for the IPs being blocked? For example, IPs blocked from brute force attack. There are so many, don't want any IPs to be blocked for opening too many http connections which I'm afraid many did when they use a download manager to download from the server. Thanks in advance.
    Last edited by HD Fanatic; 06-23-2005 at 04:26 AM.

  2. #2
    You should have gotten an email alert when BFD and anti-dos blocked the IP. If it's a RECENT occurance, you can try and check your /var/log/messages backup files. (usually /var/log/messages.1.gz through .7.gz) If it's older than that, you're SOL.
    Game control panels - control your game world your way. Server-Genie.com
    http://www.server-genie.com

  3. #3
    You can have a search on the /var/log/message, for the ip that is being blocked..so that you wil get an idea how it happend
    Choose the right option ... The world is open for You..

  4. #4
    Join Date
    Jan 2005
    Posts
    2,203
    I never got an email about IPs being blocked. in the /var/etc/messages messages.1 messages.2 .. there are no instances of June 2005. How do I remove ALL blocked IPs from the firewall and check on the rule for blocking IPs with too many http connections? Thanks.
    Last edited by HD Fanatic; 06-23-2005 at 07:18 PM.

  5. #5
    Join Date
    Nov 2003
    Location
    India
    Posts
    155
    Originally posted by ANewDay
    I never got an email about IPs being blocked. in the /var/etc/messages messages.1 messages.2 .. there are no instances of June 2005. How do I remove ALL blocked IPs from the firewall and check on the rule for blocking IPs with too many http connections? Thanks.
    I'm not sure but you can check the file: deny_hosts.rules

    in /etc/apf/ if it has a list of ips that you don't want to block, if there are any just delete those ips from that file and restart apf

    Also you might want to optimize the file /etc/apf/ad/conf.antidos to avoid similar situtation in future.

    regards

  6. #6
    Join Date
    Jan 2005
    Posts
    2,203
    I don't see any line referring to number of http connections in the conf.antidos file. Do you know where to configure that?

  7. #7
    You can see the blocked ip's in /etc/apf/deny_hosts.rules file.
    Choose the right option ... The world is open for You..

  8. #8
    Join Date
    Nov 2003
    Location
    India
    Posts
    155
    Originally posted by ANewDay
    I don't see any line referring to number of http connections in the conf.antidos file. Do you know where to configure that?
    Look for the following variables:

    TRIG

    SF_TRIG

    and

    SF_TRIG_PORTS

    These three variables control the synfloods, so you need to tweak them.

    Regards

  9. #9
    Join Date
    Jan 2005
    Posts
    2,203
    ok, thanks, it was set to 25 as default. The strange thing is I don't get how I was syncflooding the server as I was just browsing the forums The other admin of the server was blocked as well and he also was browsing the forums. In total, there were 3 IPs that were blocked due to the number of http connections.

    Also, I checked /var/log/messages and wasn't able to find any instances pertaining to the IPs blocked due to the number http connections. What do I need to look out for in that file? Thx.

  10. #10
    Join Date
    Jan 2005
    Posts
    2,203
    I just went over the conf.antidos file and found out that antidos was not even operating since some default values were set to 0 which needs to be set to 1 in order for antidos to function...

    Those techs forgot to configure it when they setup my server. :-S

    Option: LP_KLOG="0"
    Definition: Enable parsing of the kernel log file for attack events, if this or
    another LP_* (log parsing) option is not enabled then antidos will not operate.
    [0 = Disabled / 1 = Enabled]

    Option: LP_SNORT="0"
    Definition: Enable parsing of the snort portscan.log file for attack events, if
    this or another LP_* (log parsing) option is not enabled then antidos will not
    operate. [0 = Disabled / 1 = Enabled]

    Option: DET_SF="0"
    Definition: Detect SYN_RECV connections from the netstat output; this is primarily
    intended to stop syn-flood attacks against web servers. [0 = Disabled / 1 = Enabled]
    All 3 of those were set to 0 Now, I have no idea which sript/prog blocked my IP due to the http connections.

  11. #11
    Join Date
    Nov 2003
    Location
    India
    Posts
    155
    Originally posted by ANewDay
    I just went over the conf.antidos file and found out that antidos was not even operating since some default values were set to 0 which needs to be set to 1 in order for antidos to function...

    Those techs forgot to configure it when they setup my server. :-S


    All 3 of those were set to 0 Now, I have no idea which sript/prog blocked my IP due to the http connections.
    Please check the file /etc/apf/conf.apf if

    USE_DS is enabled, may be your ip was listed in the dshield block list, i personally won't enable it on a production box.

    Also for antidos script to work it needs to be added in the crontab, but it seems you have not configured it so it must not be added even in the crontab.

    Regards

  12. #12
    Join Date
    Jan 2005
    Posts
    2,203
    Tech responded:
    The Ips were blocked as the number of connection from those Ips were seemed to high. At the time when we blocked the Ips the number of connections from it were more than 500 and the server load was also high. So this forced us to block them.
    no way I made 500 connections I know the backup script was causing the server load to be high.

    Also, if I edit the /etc/sysconfig/iptables file, what do I need to restart for the changes to take effect? There's an IP that I want to block instead of allow.

    -A INPUT -s 132.248.252.xx -p tcp -j ACCEPT
    -A INPUT -s 219.232.43.xx -p tcp -j ACCEPT
    -A INPUT -s 24.215.x.x -p tcp -j ACCEPT
    -A INPUT -s 219.232.43.xx -p tcp -j DROP
    -A INPUT -s 24.215.x.x -p tcp -j DROP
    -A INPUT -s 132.248.252.xx -i eth0 -j DROP

    That's in the beginning of the iptables file; 2 instances of each IP, how do I clean it up? I want to block 132.248.252.xx and allow the other 2 IPs.
    Last edited by HD Fanatic; 06-24-2005 at 01:31 PM.

  13. #13
    Join Date
    Nov 2003
    Location
    India
    Posts
    155
    apf -d 132.248.252.xx
    apf -a ipblock

    Issue the above commands as root

    -d will block and -a will allow

    Regards

  14. #14
    Join Date
    Jan 2005
    Posts
    2,203
    Thanks, I've done that but in /etc/sysconfig/iptables It still shows that IP as:

    -A INPUT -s 132.248.252.xx -p tcp -j ACCEPT

    Does deny_hosts.rule override the iptables? Thanks for your help.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •