Follow-up on Adaptive Firewalling w/Swatch

David Cary Hart Fedora at TQMcube.com
Thu Aug 17 15:13:32 UTC 2006


Coincidentally, last night, at about 17:00 we suffered an intensive
DDoS via CGI. The unique client count is now over 3,000. Fortunately I
was running a tail at the time and noticed it pretty quickly which
allowed me to restore order relatively quickly.

I brought up another instance of swatch on for the access_log which
has been watching for the DoS pattern. On hits, it  passes the IP of
the attacker to a script that adds firewall rules.

The initialization looks like:

/usr/bin/swatch --use-cpan-file-tail --config-file=/etc/swatch2.conf \ 
--daemon --awk-field-syntax --tail-file=/var/log/httpd/access_log

The conf file looks like:

watchfor        /RegEx Pattern of Exploit/i
        exec "/usr/local/bin/ipt-ddos $1"


-- 
      Do NOT Send Email to <spam trap> Fedora at TQMcube,com
Our DNSRBL - Eliminate Spam at The Source: http://www.TQMcube.com
               Don't Subsidize Criminals: http://boulderpledge.org




More information about the fedora-list mailing list