Tux

...making Linux just a little more fun!

Talkback:137/takefuji.html

[ In reference to "Rule-based DoS attacks prevention shell script" in LG#137 ]

diana [ephrondiana at gmail.com]


Fri, 02 Nov 2007 18:49:57 +0530

Hello,

I was directed to you through talkback of the site -http://linuxgazette.net/137/takefuji.html. i got the following script from this site.but i am getting

ERROR message: "sed: -e expression #1, char 0: no previous regular 
expression Bad argument `DROP' Try `iptables -h' or 'iptables --help' 
for more information."while running that script manuall.
But i am getting the output from logs as dropped ip in my /etc/sysconfig/iptables.I am not sure of this error :'( .please help me.......

#!/bin/bash
rm -f ttt
touch tmp
# disabled IPs can be obtained from /etc/sysconfig/iptables
grep DROP /etc/sysconfig/iptables|awk '{print $5}' >tmp
# ------------------------ DoS attacks rule -------------------------
#identity mismatch in secure
grep Did /var/log/secure|awk '{print $12}' >>tmp
#Invalid user
grep "Invalid user" /var/log/secure|awk '{print $10}' >>tmp
# Maximum login
grep "Maximum login" /var/log/secure|awk '{print $7}'|sed 's/.*\[\(.*\)\])/\1/g' >>tmp
#
# ------------------ reduce redundant IPs from tmp file -------------
size=`/usr/bin/wc tmp|awk '{print $1}'`
i=0
while test $i -lt $size
do
      us=`sed -n 1p tmp`
      sed /$us/d tmp >tmps
      echo $us >>ttt
      cp -f tmps tmp
      size=`/usr/bin/wc tmp|awk '{print $1}'`
done
rm -f tmp tmps temp0 temp
#
# ------------------ activate detected IPs --------------------------
size=`wc ttt|awk '{print $1}'`
size=`expr $size + 1`
/sbin/iptables -F
i=1
while test $i -lt $size
do
        ip=`sed -n "$i"p ttt`
        i=`expr $i + 1`
/sbin/iptables -A INPUT -s $ip -j DROP
done   
# -----------------end of shell script test -------------------------  
Thanks,

Diana.K.


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Fri, 2 Nov 2007 09:45:07 -0400

On Fri, Nov 02, 2007 at 06:49:57PM +0530, diana wrote:

>    Hello,
> 
>          I was directed to you through talkback of the site
>    -http://linuxgazette.net/137/takefuji.html. i got the following script from
>    this site.but i am getting
>    ERROR message: "sed: -e expression #1, char 0: no previous regular
>    expression Bad argument `DROP' Try `iptables -h' or 'iptables --help' for
>    more information."while running that script manuall.
>          But i am getting the output from logs as dropped ip in my
>    /etc/sysconfig/iptables.I am not sure of this error :'( .please help
>    me.......

I've forwarded your request to the author; perhaps he can help you out; if not, a number of people here are pretty competent at shell scripting. The script isn't very complicated, anyway - you might want to do a bit of troubleshooting on your own (e.g., figure out which line is throwing that error.)

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

Top    Back


Thomas Adam [thomas.adam22 at gmail.com]


Fri, 2 Nov 2007 13:53:21 +0000

On 02/11/2007, Ben Okopnik <ben@linuxgazette.net> wrote:

> On Fri, Nov 02, 2007 at 06:49:57PM +0530, diana wrote:
> >    Hello,
> >
> >          I was directed to you through talkback of the site
> >    -http://linuxgazette.net/137/takefuji.html.i got the following script from
> >    this site.but i am getting
> >    ERROR message: "sed: -e expression #1, char 0: no previous regular
> >    expression Bad argument `DROP' Try `iptables -h' or 'iptables --help' for
> >    more information."while running that script manuall.
> >          But i am getting the output from logs as dropped ip in my
> >    /etc/sysconfig/iptables.I am not sure of this error :'( .please help
> >    me.......
>
> I've forwarded your request to the author; perhaps he can help you out;
> if not, a number of people here are pretty competent at shell scripting.
> The script isn't very complicated, anyway - you might want to do a bit
> of troubleshooting on your own (e.g., figure out which line is throwing
> that error.)

Running it as:

bash -xv ./some_file
Would be a start...

-- Thomas Adam


Top    Back


Trevor Pearson [trevor at haven.demon.co.uk]


Fri, 02 Nov 2007 22:58:40 +0000

diana wrote:

> Hello,
>
>       I was directed to you through talkback of the site 
> -http://linuxgazette.net/137/takefuji.html.i got the following script 
> from this site.but i am getting
> ERROR message: "sed: -e expression #1, char 0: no previous regular 
> expression Bad argument `DROP' Try `iptables -h' or 'iptables --help' 
> for more information."while running that script manuall.
>       But i am getting the output from logs as dropped ip in my 
> /etc/sysconfig/iptables.I am not sure of this error :'( .please help 
> me.......
>
Try commenting out the lines that start rm, to leave the temporary files the script uses in place and have a look at them if the file tmp is full of 'DROP' on a single line (looks like this.... DROP DROP DROP .... then the script is getting the wrong field from /sysconfig/iptables )

Trevor.


Top    Back


takefuji [takefuji at sfc.keio.ac.jp]


Sat, 3 Nov 2007 10:08:29 +0900

Dear Diana Instead of running the shell script, run every line manually in order to identify the line causing the errors. /var/log format is different depending on the log system version.

Regards,

Yoshiyasu Takefuji

Professor of Keio University


Top    Back