Saturday, September 17, 2011

[Geek] Attack Vectors and Twitter

I wrote a script some time ago, that basically parsed the auth logs on my web server looking for IP addresses that try, and fail, to log in, multiple times.  Over the years, I've continued to expand what it does, and what it could do.

At first, it would note something, and send me an e-mail, and I'd get to it, and it would continue to e-mail me once every hour until I did.

Then, since it was really only dealing with sshd (a remote login program), I had it automatically add entries to a file that sshd cares about.

Well, then I got it in my head, that I should also be scanning the web logs for evil hits.  So I did that, and added about 150 common signatures.  But, web server doesn't care about file based deny statements.  So, then I brushed off my firewall documentation, and worked on setting these things automatically into the firewall.

Once all that was done, I wrote a script that would run this thing much, much more often.

So, now it will e-mail me, but what fun is that?  When I get the e-mail, there's nothing more to do.

A few times, I posted IP addresses that had been blocked on my Twitter account.  I got a complaint that also sounded like a challenge.  "I hope that isn't an automated script tweeting"

It took me a few weeks to really go into it, but now I've done that too.  I didn't use my primary Twitter account though.

I'm interested to see what happens to this program in the future.

No comments:

Post a Comment