There various ways to detect attacks programatically. Two easy to implement:
a. If you examine http server logs, you will note unautorized attempts to download a number of common system files. These are guaranteed to be attempts to crack your system. What I would like to do is configure 'cgi' programs as each of these objects. The 'cgi' program would record the origin IP address and initiate an http request to a new URL on the gnatbox. That request would identify a list of one or more IPs using common syntax and it would specify an expiration interval. b. Every day I get 'logwatch' output for my servers. It is common to note multiple attacks originating from a single IP address. I envision writing a procmail script which would receive these files and generate gnatbox updates as under 'a' above. It might even be worthwhile to watch the sshd log in real time. Of course, use of this feature would have to be limited. Perhaps with login credentials, IP and/or gnatbox interface limits, etc. The current (to my knowledge) capability requires a human using a relatively complex UI/WUI to add IPs to block objects. And later remove them. While what I am attempting to describe here provides an easily programable interface. The expiration interval is important since most of these IP specific attacks are of short duration and once the actual attacking system owner is aware of the issue they stop. Alternative interfaces would include having gnatbox retrieve a block list from a specified http and/or scp server. On a daily schedule as well as in response to a simple http request to the gnatbox. In this case, expiration could be managed externally, but it probably should allow combining multiple files since in my use case, IPs would be discovered on multiple systems and building an application to combine them would be difficult. Thanks, David Morris ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
