NAS is the way to go… Local storage is sooo 2008 :p
My new toy: http://www.synology.com/enu/products/DS410j/index.php
On www.synology.com you can find more info about the NAS’ and the OS on it. Wil try to post a review in a few weeks.
Many scripts like my Persistent Iptables bans from Fail2Ban script add a bunch of DROP statements to Iptables chains.
I noticed that quite a lot of people ask questions on mailing lists and forums requesting a method to automatically remove any duplicate IP’s that might exist within a given chain.
Well, that’s quite easy to accomplish really, just run this little PHP script I created as root, and your Iptables is once again clean as a whistle!
/** * Configuration */ $chain = "Blocklist"; $safelist = array("x.x.x.x" ,"y.y.y.y" ,"z.z.z.z"); $data = shell_exec('iptables -S '.$chain); $iparr = explode(' ',$data); $j = 0; $ref = array(); for($i=0;$i<sizeof($iparr);$i++) { if(substr_count($iparr[$i],".")==3) { $ref[$j] = $iparr[$i]; $j++; } } sort($ref); for($i=0;$i<sizeof($ref);$i++) { $ip = $ref[$i]; $ref[$i] = ""; if(stristr($ip,"0.0.0.0")) $ip=""; if(strlen($ip)>2 && !in_array($ip,$safelist) && in_array($ip,$ref)) { echo "Duplicate IP found: $ip\r\n"; while(in_array($ip,$ref)) { shell_exec('iptables -D '.$chain.' -s '.$ip.' -j DROP'); $ref[array_search($ip,$ref)] = ""; } } }
While examining my webserver statistics, I noticed that quite a lot 404′s are being served on most of my domains to scan bots that are trying to find exploits in possible running PHPMyAdmin configurations.
Though harmless if you keep a clean ship with a decently configured PHPMyAdmin and the latest updates like I do, I still decided I couldn’t let this behaviour unanswered. So I took action, and wrote a small fail2ban filter that permanently drops all traffic from the IP addresses these scans originate from, like I do with every address that misbehaves in any way.
The regex used won’t capture all attempts, but with my configuration only 1 hit is enough to get you banned (the scripts these scans call are main.php and config.inc.php, which aren’t to be called directly, especially not when they fail with a 404 like these), and all scanning attempts I’ve seen so far cycle through at least 20 different combinations.
Well, enough talk, here is the filter.d file:
# Fail2Ban configuration file # # Author: Remco Overdijk # # $Revision: 4 $ # [Definition] # Option: failregex # Notes.: regex to match the 404'ed PMA file in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = <HOST> -.*"GET .*(php|pma|PMA|p/m/a|db|sql|admin).*/(config/config\.inc|main)\.php.*".*404.* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
And this is of course accompanied by a bit in jail.conf:
[apache-pma] enabled = true filter = apache-pma action = iptables-allports[name=pma] mail-whois[name=pma, dest=<YOURADDRHERE>] logpath = /var/log/apache2/access_log bantime = -1 maxretry = 1
Works for me, another 20 additional IPs/day onto the shitlist!
Update: It seems another variation of these scans are hitting the NIC’s quite often; One for Zen Cart to be more precise.
You can easily add support countering this scanner as well, simply by expanding the failregex with this line:^<HOST> -.*"GET .*(cart|boutique|catalog|butik|shop|zen|store).*/install\.txt.*".*404.*You can put multiple regexes within one failregex, just put each one on a new line.
It is possible to monitor fan speeds and temperatures on Dell Poweredge servers under Linux. You can achieve this by reading out the IPMI data that is available on the system.
I used the steps on this website to buffer the data gathered by IPMI to use in Cacti.
However, in addition to Cacti I also use Munin to monitor various system parameters. Wouldn’t it be nice to incorporate graphs for fan speeds and temperatures in Munin? I thought so, so I developed a way to do this.
Read more…
Goed.. gisterenavond was ik dus op een surpriseparty ter ere van de 30e verjaardag van MaxServ‘s Luuk van Raaij. Bij een goede surpriseparty hoort ook de nodige Whisky, en van Whisky ga je domme dingen zeggen.
Zo heb ik hem dus plechtig beloofd zijn nieuwe Online Strategie blog te promoten. Helaas had Luuk één glaasje minder gedronken dan ik, en herrinerde hij zich deze belofte nog glashelder.. helaas.
Dus.. lieve mensen, bij deze: Geinteresseerd in het laatste nieuws op Online Strategisch gebied? Neem even een kijkje op www.stategie-online.nl of check de MaxServ Twitter
Loading ...
