| Posted by Oplactric, 05-27-2013, 03:34 PM | | I have a rather long list at home I use when monitoring suspicious IP's or blocks of IP's manually on my server on a regular basis. But this is rather inefficient way to monitor them as many of them are hitting the server infrequently.
So I'm looking for a way to be notified automatically of all logged IP's on my server for the day or the last 24h that are on my suspicious IP's watch list so I only would need to look for them on my server.
The web server is just for my own personal use.
I'm using:
CentOS 5
cPanel
Apache
|
| Posted by CintrixHost, 05-27-2013, 09:16 PM | | Are you using CSF? You can definitely do what you are looking to do with ConfigServer Firewall. If you're not running a hardware firewall it's almost second to none for someone who doesn't want to dive deep into iptables.
Just out of curiosity, do you mind divulging what it is you are looking for with these suspicious IP's or how you define "suspicious"? If your server is anything like our servers we'd have to hire 5 more techs just to keep up with the amount of IPs that try hitting our servers.
|
| Posted by Oplactric, 05-28-2013, 12:01 PM | | With suspicious IP's I mean all activities that are foremost, either unlawful or otherwise exploitative attempts, and other kinds of nuisances that need to be handled.
I'm already using CSF, but don't know what you have in mind in that respect, except if you have in mind the watch feature of CSF, but I'm not sure if that is what I need.
I get a regular report of all logged blocked packages and filter the most interesting stuff by using a spreadsheet. So about 600 IP's on a weekly basis becomes just handful to look into and are more worthy of my time and effort. So this is not an issue, but could need improvement.
But the real issue I'm refering to are all the suspicious activities in other logs besides the messages log, like the Apache logs, Mod_security audit log, exim logs and many others.
Just very small part of all the suspicious IP's are really block worthy and I put them on my watch list. They are now exactly 60, both whole IP's and ranges of IP's.
The issue here is not to spend time checking on inactive items on my watch list, but instead focus on most recent activities .
|
| Posted by CintrixHost, 05-28-2013, 12:13 PM | | I see what you are saying, but ultimately I'm still getting hung up on what you are looking to do with these IPs? Are you basically trying to take a pro-active (very time-consuming?) approach to make sure IPs is not coming back to your server and trying to do something malicious again? Are you trying to get a sense for what an IP is "trying" to do?
Ultimately the reason I'm hung-up is that as long as you have good security measures in place (blocking based on X fails, TLS/SSL enforcement, etc, etc) why do you want to have a list of suspicious IPs and what exact (the reason there's a disconnect for me) are you "doing" with this list? Simply looking to see if it's trying to get into other services on your machine?
Example: If an IP is trying to send mail through your server and can't get in one of two things will happen. It will do nothing since it hasn't hit your failure limit or nothing will happen because it only tried X times which was below your limit of blocking. Do you have failure limits setup but also want to be able to manually by-pass those limits on IPs you deem block-worthy on your own?
Sorry for the odd questions I'm still just stumped on what it is you are trying to do with the list you use and what (why?) you deem an IP suspicious if CSF didn't?
|
| Posted by Oplactric, 05-28-2013, 03:40 PM | | My intention is to learn to block more efficiently, and yes, be more proactive, but only to a particular extent, as I'm really not trying to make them not come back again, but just trying to filter out particular types of nuisances to give the server some break from them. This is one of the most important, if not the most important reason for my watchlist.
I've been extremely lucky with my server which is a VPS, so the security part is not a problem, at least not at this time.
The issue is, that I don't like any unsolicited activities or traffic running through the server, even though it is blocked on some levels, and this has more to do with the reason of making the server perform stably, than making it more secure, although I do that too.
The automatic blocking methods have been good enough in itself, but really not good enough if one wants to clear the server more.
Yes I do have failure limits setup, and on many levels, but I haven't thought about making any custom limits for block-worthy IP's.
|
| Posted by bune, 05-28-2013, 08:56 PM | | Did you check for what services are you getting alerts ?
|
| Posted by Oplactric, 05-28-2013, 09:44 PM | | Yes I have.
|
|
 Add to Favourites
 Print this Article
|
