# sending evil IP's to a blackhole

## count

I'm running apache on my gentoo box and have been recieving a number of worm like requests involving winnt/system32/cmd.exe? ... and default.ida? .... so I modified my apache configuration to run a script I wrote to log their IP in my "blacklist" and do this:

route -n add -host [BADIP] gw [BOGUS_INTERAL_IP]

So from then on any requests from that IP are lost. drastic measures i guess, but these requests are overtaking my apace_log. 

My question is this: 

Could this be a performance loss adding them to my route?

Right now Ive got 20 IP's in there since I implemented this about 5 days ago. But since then the rate at which new IP's are added have been dropping. 

I also just created a script which I added to my init.d for apache which will reubild the route table from my blacklist if for any reason my server is restarted.

What are your thoughs?

----------

## echeslack

I have never personally set up apache, but I thought there was a way to set up access by IP.  I would think this would be the most efficient way since nothing ever gets sent (or attempts to get sent), but instead the request is just dropped.  But I'm no expert, so maybe you should just wait for somebody else to answer  :Smile: .

-ewen

----------

## rac

 *echeslack wrote:*   

> I have never personally set up apache, but I thought there was a way to set up access by IP.  I would think this would be the most efficient way since nothing ever gets sent (or attempts to get sent), but instead the request is just dropped.

 

If you're referring to Apache's deny directive, it doesn't drop the request, but rather sends back a 401 Access Denied.

In addition to your route method, you could use tcpwrappers or iptables to block access.

----------

## count

I was using the Deny directiive in apache at first, but i was manually entering the IP's and that got tedious and the list got long ... So I did wat I described above becasue I thought it would be more efficient and would catch them before they even got to apache.

----------

## trapni

Before sending'em to blackhole you should check whether they're dynamic IP's or not (dialup connections) if so, I'd recomment you to send a mail to abuse@HisISP.net rather then sending it to blackhole ;)

Cheers,

Christian Parpart.

p.s.: my mail server rejects approximately 140 mails of spam and alike a day, amazing ;)

----------

## count

I found another solution to my problem that may work a bit better thanks to focus-linux@securityfocus.com

I'm now using iptables and dynfw to deal with the bad requests. It seems to be working well so far.

Thanks!

----------

## RebelYell

 *rac wrote:*   

>  *echeslack wrote:*   I have never personally set up apache, but I thought there was a way to set up access by IP.  I would think this would be the most efficient way since nothing ever gets sent (or attempts to get sent), but instead the request is just dropped. 
> 
> If you're referring to Apache's deny directive, it doesn't drop the request, but rather sends back a 401 Access Denied.
> 
> In addition to your route method, you could use tcpwrappers or iptables to block access.

 

I agree with this... and you could use portsentry and the dynfw package. 

This way you'll end up with those bad hosts in your /etc/hosts.deny and iptables rules.

----------

## nemo_

While blocking worm infected IPs using iptables is not a bad idea (hosts from subnets near you tend to keep trying again and again it seems), I dont like portsentry much because if someone finds out you're running it - that's not too difficult when you have several IPs handy - they can flood you with spoofed packets originating from everywhere and turn your firewall into a real wall.

----------

## RebelYell

 *nemo_ wrote:*   

> While blocking worm infected IPs using iptables is not a bad idea (hosts from subnets near you tend to keep trying again and again it seems), I dont like portsentry much because if someone finds out you're running it - that's not too difficult when you have several IPs handy - they can flood you with spoofed packets originating from everywhere and turn your firewall into a real wall.

 

Available just in case your box will be accepting spoofed packets... besides, you can configure portsentry to ignore several hosts/subnets or to "flush" the banned subnets/hosts at the interval you specify.

----------

## panserg

It's been awhile since subject was up. What's changed since that time? Are there any tools in Portage to help against such "worm seekers"?

I run several Apache, Tomcat and Zope servers and I was surprised to see that even non-80 ports are flooded. As for standard 80, there is more bad records in log files than good ones. On big servers it's not an issue, but on small servers with a slow connection it becomes a performance and volume issue.

For fast servers I am looking for the script that would :

1. scan the log files on the regular (let's say weekly) basis;

2. summarize the flood records by providers;

3. send the message to each abuse@ISP.net;

4. clean the records up in order to back it up (to the tape archive or something) without any garbage;

Is there anything in Portage that can help?

Also, for small server, is there anything I can do in iptables to check the URL and to drop it if it's bad and to do it faster (or with less CPU utilization) than Apache would do it by itself?

----------

