Results 1 to 14 of 14
Thread: Blocked IPs, finding the causes
-
06-23-2005, 04:22 AM #1Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
Blocked IPs, finding the causes
I have APF with BFD and anti-dos. How do I find out the reasons for the IPs being blocked? For example, IPs blocked from brute force attack. There are so many, don't want any IPs to be blocked for opening too many http connections which I'm afraid many did when they use a download manager to download from the server. Thanks in advance.
Last edited by HD Fanatic; 06-23-2005 at 04:26 AM.
-
06-23-2005, 03:14 PM #2Junior Guru Wannabe
- Join Date
- May 2005
- Posts
- 67
You should have gotten an email alert when BFD and anti-dos blocked the IP. If it's a RECENT occurance, you can try and check your /var/log/messages backup files. (usually /var/log/messages.1.gz through .7.gz) If it's older than that, you're SOL.
Game control panels - control your game world your way. Server-Genie.com
http://www.server-genie.com
-
06-23-2005, 03:31 PM #3Newbie
- Join Date
- Jun 2005
- Posts
- 27
You can have a search on the /var/log/message, for the ip that is being blocked..so that you wil get an idea how it happend
Choose the right option ... The world is open for You..
-
06-23-2005, 07:09 PM #4Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
I never got an email about IPs being blocked. in the /var/etc/messages messages.1 messages.2 .. there are no instances of June 2005. How do I remove ALL blocked IPs from the firewall and check on the rule for blocking IPs with too many http connections? Thanks.
Last edited by HD Fanatic; 06-23-2005 at 07:18 PM.
-
06-23-2005, 07:42 PM #5Disabled
- Join Date
- Nov 2003
- Location
- India
- Posts
- 155
Originally posted by ANewDay
I never got an email about IPs being blocked. in the /var/etc/messages messages.1 messages.2 .. there are no instances of June 2005. How do I remove ALL blocked IPs from the firewall and check on the rule for blocking IPs with too many http connections? Thanks.
in /etc/apf/ if it has a list of ips that you don't want to block, if there are any just delete those ips from that file and restart apf
Also you might want to optimize the file /etc/apf/ad/conf.antidos to avoid similar situtation in future.
regards
-
06-23-2005, 11:14 PM #6Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
I don't see any line referring to number of http connections in the conf.antidos file. Do you know where to configure that?
-
06-24-2005, 12:39 AM #7Newbie
- Join Date
- Jun 2005
- Posts
- 27
You can see the blocked ip's in /etc/apf/deny_hosts.rules file.
Choose the right option ... The world is open for You..
-
06-24-2005, 01:00 AM #8Disabled
- Join Date
- Nov 2003
- Location
- India
- Posts
- 155
Originally posted by ANewDay
I don't see any line referring to number of http connections in the conf.antidos file. Do you know where to configure that?
TRIG
SF_TRIG
and
SF_TRIG_PORTS
These three variables control the synfloods, so you need to tweak them.
Regards
-
06-24-2005, 02:14 AM #9Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
ok, thanks, it was set to 25 as default. The strange thing is I don't get how I was syncflooding the server as I was just browsing the forums The other admin of the server was blocked as well and he also was browsing the forums. In total, there were 3 IPs that were blocked due to the number of http connections.
Also, I checked /var/log/messages and wasn't able to find any instances pertaining to the IPs blocked due to the number http connections. What do I need to look out for in that file? Thx.
-
06-24-2005, 02:42 AM #10Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
I just went over the conf.antidos file and found out that antidos was not even operating since some default values were set to 0 which needs to be set to 1 in order for antidos to function...
Those techs forgot to configure it when they setup my server. :-S
Option: LP_KLOG="0"
Definition: Enable parsing of the kernel log file for attack events, if this or
another LP_* (log parsing) option is not enabled then antidos will not operate.
[0 = Disabled / 1 = Enabled]
Option: LP_SNORT="0"
Definition: Enable parsing of the snort portscan.log file for attack events, if
this or another LP_* (log parsing) option is not enabled then antidos will not
operate. [0 = Disabled / 1 = Enabled]
Option: DET_SF="0"
Definition: Detect SYN_RECV connections from the netstat output; this is primarily
intended to stop syn-flood attacks against web servers. [0 = Disabled / 1 = Enabled]
-
06-24-2005, 04:01 AM #11Disabled
- Join Date
- Nov 2003
- Location
- India
- Posts
- 155
Originally posted by ANewDay
I just went over the conf.antidos file and found out that antidos was not even operating since some default values were set to 0 which needs to be set to 1 in order for antidos to function...
Those techs forgot to configure it when they setup my server. :-S
All 3 of those were set to 0 Now, I have no idea which sript/prog blocked my IP due to the http connections.
USE_DS is enabled, may be your ip was listed in the dshield block list, i personally won't enable it on a production box.
Also for antidos script to work it needs to be added in the crontab, but it seems you have not configured it so it must not be added even in the crontab.
Regards
-
06-24-2005, 01:19 PM #12Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
Tech responded:
The Ips were blocked as the number of connection from those Ips were seemed to high. At the time when we blocked the Ips the number of connections from it were more than 500 and the server load was also high. So this forced us to block them.
Also, if I edit the /etc/sysconfig/iptables file, what do I need to restart for the changes to take effect? There's an IP that I want to block instead of allow.
-A INPUT -s 132.248.252.xx -p tcp -j ACCEPT
-A INPUT -s 219.232.43.xx -p tcp -j ACCEPT
-A INPUT -s 24.215.x.x -p tcp -j ACCEPT
-A INPUT -s 219.232.43.xx -p tcp -j DROP
-A INPUT -s 24.215.x.x -p tcp -j DROP
-A INPUT -s 132.248.252.xx -i eth0 -j DROP
That's in the beginning of the iptables file; 2 instances of each IP, how do I clean it up? I want to block 132.248.252.xx and allow the other 2 IPs.Last edited by HD Fanatic; 06-24-2005 at 01:31 PM.
-
06-24-2005, 01:43 PM #13Disabled
- Join Date
- Nov 2003
- Location
- India
- Posts
- 155
apf -d 132.248.252.xx
apf -a ipblock
Issue the above commands as root
-d will block and -a will allow
Regards
-
06-24-2005, 05:08 PM #14Web Hosting Master
- Join Date
- Jan 2005
- Posts
- 2,203
Thanks, I've done that but in /etc/sysconfig/iptables It still shows that IP as:
-A INPUT -s 132.248.252.xx -p tcp -j ACCEPT
Does deny_hosts.rule override the iptables? Thanks for your help.