Re: Realtime log file anlayser
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 01/22/03
- Next message: Karl Levinson [x y] mvp: "Re: IIS Multiple IP range blocking"
- Previous message: Karl Levinson [x y] mvp: "Re: Communicating between 2 websites"
- In reply to: Scarlet: "Re: Realtime log file anlayser"
- Next in thread: Jeff Cochran: "Re: Realtime log file anlayser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Tue, 21 Jan 2003 19:48:45 -0500
I agree with Keith. Most firewalls don't automatically ban IP addresses for
this reason, and the ones that do are often derided by security
professionals.
However, you could install BlackIce standard for around $40, it will do this
for certain attacks such as code red and nimda. It may block legitimate
users if you're not careful.
Web servers attacking you with Nimda or Code Red style attacks are not
likely to continue with other attacks, and if they do, they are not likely
to be successful, especially not since you have URLScan installed.
In my experience I have yet to run into a situation where this sort of
technology would have prevented a hacking, but have certainly run into
situations where this autoblocking blocked someone that was supposed to have
access.
Kevin Mitnick found it very trivial to do IP spoofing... see
www.takedown.com or the book Takedown for further details. For example, you
can spoof a source IP address when sending a command to use an IIS exploit
to create a new Administrator account, and you don't necessarily care
whether you get the reply back. Or, you can hijack 10 servers in China and
control them remotely, so that the source IP address tells you nothing.
"Scarlet" <Scarletpimpernel666@hotmail.com> wrote in message
news:09b701c2c19a$aa65fc50$8af82ecf@TK2MSFTNGXA03...
> Well it doesnt have to search in any file.Just insted of
> the log file, the output of the IIS will be redirected to
> that analyzer, and it analyse it realtime, I dont think
> that searching in a short string for a specified phrase
> will be a big task for a server even for thousands of
> requests.
> And as for the spoofing of the source address, as far as I
> gathered its not that easy to really spoof an IP address.
> Yes, you can use those malformed anonymous proxies or
> socks and connect via them or chaining them, but the real
> IP spoofing and specially spoofing the IP's of my ISP name
> server seems not real easy. If it is that easy, please let
> me know how its done, so I apply more security on our
> servers not letting ppl spoof their IPs.
>
> >-----Original Message-----
> >> So what i need is a realtime logfile analyser that when
> >> faces that phrase in the log line automatically bans-
> >> permanent or temporary- the ip of the attacker and
> >> disconnects any session with that IP. So the first
> >> malicious request will lead to restriction of the access
> >> from that IP.
> >
> >Not the best idea in the world. And believe me, it's
> been considered and
> >debated many, many times.
> >
> >For starters, that list has to be searched each time a
> request is handed to
> >IIS. I'll let you figure what would happen to
> performance once that list
> >grew to several hundred (or very likely thousand)
> addresses.
> >
> >Add to that the fact that it is trivial to spoof a source
> address. Again,
> >I'll let you figure out what happens when someone spoofs
> the source address
> >of your biggest client, your ISP's name server, etc. The
> list could go on
> >for days...
> >
> >In my opinion, your time would be much better spent
> refining your security
> >measures and hardening your systems. If you've built
> your network and
> >security infrastructure correctly, who cares what some
> clown with a cable
> >modem is throwing at your systems?
> >
> >Hope this helps.
> >
> >--
> >Keith W. McCammon
> >
> >
> >
> >.
> >
- Next message: Karl Levinson [x y] mvp: "Re: IIS Multiple IP range blocking"
- Previous message: Karl Levinson [x y] mvp: "Re: Communicating between 2 websites"
- In reply to: Scarlet: "Re: Realtime log file anlayser"
- Next in thread: Jeff Cochran: "Re: Realtime log file anlayser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
