Firewall rules:
#!/bin/bash
#
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
EXTIF="eth0"
echo " External Interface: $EXTIF"
EXTIP="`$IFCONFIG $EXTIF | $AWK
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo " External IP: $EXTIP"
echo " ---"
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
# Flush all chains
$IPTABLES -F
echo " Creating a DROP chain.."
$IPTABLES -N drop-it 2> /dev/null
#$IPTABLES -A drop-it -j LOG --log-level info
$IPTABLES -A drop-it -j DROP
echo " Creating a DROP and LOG chain.."
$IPTABLES -N drop-and-log-it 2> /dev/null
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j ULOG --ulog-nlgroup 1 --ulog-prefix DROP
$IPTABLES -A drop-and-log-it -j DROP
#Allow anything on loopback
$IPTABLES -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPTABLES -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
#Allow various traffic from our network
$IPTABLES -A INPUT -p tcp --dport ssh -d $EXTIP -s 130.126.184.0/21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 81 -d $EXTIP -j ACCEPT
#Allows for ntp
$IPTABLES -A INPUT -p UDP --sport 123 --dport 1024:65535 -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p UDP --sport 123 --dport 123 -d $EXTIP -j ACCEPT
#Allows for named
$IPTABLES -A INPUT -p UDP --sport 53 --dport 1024:65535 -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -p UDP --sport 53 --dport 53 -d $EXTIP -j ACCEPT
#Drop broadcasts
$IPTABLES -A INPUT -d 130.126.191.255 -j DROP
$IPTABLES -A INPUT -d 255.255.255.255 -j DROP
#Drop other annoying ports
$IPTABLES -A INPUT -p tcp -m multiport --destination-ports 113,139 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --destination-ports 67,137,138,513,520,631 -j DROP
# Only a single entry to rule them all and in the darkness see them
# (C) Bob Toxen, Real World Linux Security, Sec Ed, pg 473
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -j drop-and-log-it
#$IPTABLES -A OUTPUT -j ACCEPT
#$IPTABLES -A FORWARD -j ACCEPT
perl scripts:
Sorted by timestamp:
#!/usr/bin/perl
#
use DBI;
use Net::DNS;
$VERSION = sprintf "%d.%03d", q$Revision: 1.12 $ =~ /: (d+).(d+)/;
my $res = Net::DNS::Resolver->new();
my $database = "ulogd";
my $user = "username";
my $password = "password";
my $dbh = DBI->connect("DBI:mysql:$database",
$user,
$password,
{PrintError => 0});
die "Unable for connect to server $DBI::errstr"
unless $dbh;
my $rc;
my $sth;
my $rowcount = 0;
my $query, $hostname;
my $hilite = "#1b7de3";
#$statement = "select FROM_UNIXTIME(oob_time_sec),";
#$statement .= "INET_NTOA(ip_saddr),INET_NTOA(ip_daddr),";
#$statement .= "tcp_dport,udp_dport,ip_protocol from ulog;";
$statement = "select COUNT(id) as Count,FROM_UNIXTIME(MIN(oob_time_sec)) as MIN, FROM_UNIXTIME(MAX(oob_time_sec)) as MAX,";
$statement .= "INET_NTOA(ip_saddr), tcp_dport, udp_dport, icmp_type from ulog ";
$statement .= "where FROM_UNIXTIME(oob_time_sec) > DATE_SUB(CURDATE(), INTERVAL 28 DAY) ";
$statement .= "group by ip_saddr,tcp_dport,udp_dport ";
$statement .= "order by MAX desc;";
$sth = $dbh->prepare($statement);
$current = localtime();
print "
print "
Blocked Hosts List o
n tuxedo
This table is automatically generated from iptables logs on Bullseye.
n";
print "Blocked hosts lists: Sorted by last scan or So
rted by IP Address
n";
print "Port 631 (IPP) can be safely ignored.
This is not a p
roduction service!
This is only the last 28 days of data.
n";
if($sth->execute) {
print "
IP | Hostname | First | Last | TCP Port | UDP Port | ICMP | Countn"; while(@row = $sth->fetchrow_array) { $rowcount++; # Attempt to resolve addrs $hostname = $row[3]; if ($row[3] =~ '130.126.') { $query = $res->search($row[3]); if ($query) { #$hostname = $query->type; foreach my $rr ($query->answer) { next unless $rr->type eq "PTR"; $hostname = $rr->ptrdname, "n"; } } } # 0 = count, 1 = first, 2 = last, 3 = ip, 4 = tcp, # 5 = udp, 6 = icmp $ip = $row[3]; if ($hostname =~ "urh.uiuc.edu") { $bg = $hilite; } else { $bg = "FFFFFF"; } if ($hostname =~ "uiuc.edu") { print " | |||
$ip"; } else { print " | ||||||||||
$ip"; } print " |
$hostname | $row[1] | $row[2] "; if ($row[4] != "") { print " |
$row[4]n"; } else { print " |
$row[4]n";
} |
$row[5]n"; } else { print " |
$row[5]n"; } if ($row[6] != "") { print " |
$row[6]n"; } else { print " |
$row[6]n"; } print " |
$row[0]n"; } print " |
n";
print "Total row count: $rowcountn";
}
$current = localtime();
print "
Generated: $current
Version: $VERSIONn";
Sorted by ip address:
#!/usr/bin/perl
#
use DBI;
use Net::DNS;
$VERSION = sprintf "%d.%03d", q$Revision: 1.7 $ =~ /: (d+).(d+)/;
my $res = Net::DNS::Resolver->new();
my $database = "ulogd";
my $user = "username";
my $password = "password";
my $dbh = DBI->connect("DBI:mysql:$database",
$user,
$password,
{PrintError => 0});
die "Unable for connect to server $DBI::errstr"
unless $dbh;
my $rc;
my $sth;
my $rowcount = 0;
my $query, $hostname;
my $hilite = "#1b7de3";
#$statement = "select FROM_UNIXTIME(oob_time_sec),";
#$statement .= "INET_NTOA(ip_saddr),INET_NTOA(ip_daddr),";
#$statement .= "tcp_dport,udp_dport,ip_protocol from ulog;";
$statement = "select COUNT(id) as Count,FROM_UNIXTIME(MIN(oob_time_sec)) as MIN, FROM_UNIXTIME(MAX(oob_time_sec)) as MAX,";
$statement .= "INET_NTOA(ip_saddr), tcp_dport, udp_dport, icmp_type from ulog ";
$statement .= "where FROM_UNIXTIME(oob_time_sec) > DATE_SUB(CURDATE(), INTERVAL 28 DAY) ";
$statement .= "group by ip_saddr,tcp_dport,udp_dport ";
$statement .= "order by ip_saddr;";
$sth = $dbh->prepare($statement);
$current = localtime();
print "
print "
Blocked Hosts List o
n tuxedo
This table is automatically generated from iptables logs on Bullseye.
n";
print "Blocked hosts lists: Sorted by last scan or So
rted by IP Address
n";
print "Port 631 (IPP) can be safely ignored.
This is not a p
roduction service!This is only the last 28 days of data.
n";
if($sth->execute) {
print "
IP | Hostname | First | Last | TCP Port | UDP Port | ICMP | Countn"; while(@row = $sth->fetchrow_array) { $rowcount++; # Attempt to resolve addrs $hostname = $row[3]; if ($row[3] =~ '130.126.') { $query = $res->search($row[3]); if ($query) { #$hostname = $query->type; foreach my $rr ($query->answer) { next unless $rr->type eq "PTR"; $hostname = $rr->ptrdname, "n"; } } } # 0 = count, 1 = first, 2 = last, 3 = ip, 4 = tcp, 5 = udp, 6 = icmp $ip = $row[3]; if ($hostname =~ "urh.uiuc.edu") { $bg = $hilite; } else { $bg = "FFFFFF"; } if ($hostname =~ "uiuc.edu") { print " |
$ip"; } else { print " | |||||||
$ip"; } print " |
$hostname | $row[1] | $row[2] "; print " |
$row[4] | $row[5] | $row[6] } print " |
n";
print "Total row count: $rowcountn";
}
$current = localtime();
print "
Generated: $current
Version: $VERSIONn";