Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: Unknown IP Uploads

  1. #11
    Join Date
    Jan 2012
    Beans
    34

    Re: Unknown IP Uploads

    Quote Originally Posted by unspawn View Post
    Couple of ways about it: 0) learn about it (bit steep learning curve maybe ;-p) here or here and here and maybe check here (archive.org copy) if you can't get enough of that stuff or 1) ask specific questions or else 2) share the pcap for others to analyze.
    * In case of the latter you may want to obfuscate your IP address and scrub certain types of traffic (logins, cookies, destinations).

    ** Wrt your screen shot: running nethogs gives you process Ids. These PIDs you can then run through 'lsof' for more clues. For example running 'sudo lsof -Pwlnp 2085' should get you the process details from the second one listed in your screen shot. The caveat is the process has to be running, you can't do it afterwards.
    I will have a read over all that stuff, thank you.

  2. #12
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,582
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Unknown IP Uploads

    Here's a very simple script to do want you want. I named it iptables.sh. Please note that I usually set the default packet policy on firewalls as drop, but in this case I kept it ACCEPT since I only wanted to block OUTPUT from certain IPs:

    IPTABLES=/sbin/iptables
    LOGLIMIT="2/s"
    LOGLIMITBURST=10

    function clean() {

    echo "[+] Flushing existing iptables rules..."
    $IPTABLES -F
    $IPTABLES -F -t mangle
    $IPTABLES -F -t nat
    $IPTABLES -X
    $IPTABLES -X -t mangle
    $IPTABLES -X -t nat

    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IP6TABLES -P INPUT ACCEPT
    $IP6TABLES -P OUTPUT ACCEPT
    $IP6TABLES -P FORWARD ACCEPT

    }


    ### flush existing rules and set chain policy setting to DROP

    function Default_Policies() {

    #Default Policies
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT

    ### this policy does not handle IPv6 traffic except to drop it.
    $IP6TABLES -P INPUT DROP
    $IP6TABLES -P OUTPUT DROP
    $IP6TABLES -P FORWARD DROP

    }



    function firewall() {

    ###### OUTPUT chain ######
    #
    echo "[+] Setting up OUTPUT chain..."

    BlockedIPs=( IPADDRESS1 IPADDRESS2 IPADDRESS3 ) #Spaces are important after and before ()

    $IPTABLES -N LOGDROP
    $IPTABLES -A LOGDROP -j LOG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST --log-prefix "DROP OUT- " --log-ip-options --log-tcp-options
    $IPTABLES -A LOGDROP -j DROP

    for ip in "${BlockedIPs[@]}"
    do
    $IPTABLES -A OUTPUT -d ${ip} -j LOGDROP
    done
    }

    case "$1" in
    stop)
    echo "Shutting down firewall..."
    clean
    echo "...done"
    ;;
    status)
    echo $"Table: filter"
    iptables --list
    echo $"Table: nat"
    iptables -t nat --list
    echo $"Table: mangle"
    iptables -t mangle --list
    ;;
    restart|reload)
    $0 stop
    $0 start
    ;;
    start)
    echo "Starting Firewall..."
    clean
    Default_Policies
    firewall
    ;;
    *)
    echo "Usage iptables.sh { start | stop | restart | status }"
    exit 1
    ;;
    esac

    exit
    ### EOF ###

  3. #13
    Join Date
    Jan 2012
    Beans
    34

    Re: Unknown IP Uploads

    Quote Originally Posted by kevdog View Post
    BlockedIPs=( IPADDRESS1 IPADDRESS2 IPADDRESS3 ) #Spaces are important after and before ()
    Do I only need to change the above live and insert the IP's I want to block instead of 'IPADDRESS1 IPADDRESS2 IPADDRESS3'?

    Do I leave only spaces, no commas or full stops between each IP?

    Is there a limit to how many IP's I can put into that line?

    And where do I put this file and how do I run it?

  4. #14
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,582
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Unknown IP Uploads

    Sorry I didn't give instructions. There are other ways to do what I am proposing, so I don't want to tell you there is this way, and thats it. What I'm doing is creating an array of IP values. So yes you would put an IP address substituting for where I put IPADDRESS1. There is no limit to the number of IP addresses you want to add.

    Save the file as iptables.sh and make sure the ownership is root and the group is root. I usually save the file in /usr/local/sbin. (That's just me however).

    If you want to run the file it would be:
    sudo /usr/local/sbin/iptables.sh start

    or
    sudo /usr/local/sbin/iptables.sh stop

    or
    sudo /usr/local/sbin/iptables.sh status

    or
    sudo /usr/local/sbin/iptables.sh restart

    I believe /usr/local/sbin should be in your path so I don't think you have to type the full path (I think).

    Try it -- see if it works. The blocked IP address are logged, so you could look at your syslog to confirm the IP addresses are getting blocked. You can always elect to not log the dropped IP addresses at another time.

    That's about all I know.

  5. #15
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Unknown IP Uploads

    It might be important to add that blocking Amazon aws will likely break most websites you visit, well not most but probably a decent enough amount tp not be worth it.

  6. #16
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,582
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Unknown IP Uploads

    Quote Originally Posted by Dangertux View Post
    It might be important to add that blocking Amazon aws will likely break most websites you visit, well not most but probably a decent enough amount tp not be worth it.
    I don't really follow this? I don't have the problem discussed in this thread. Amazon aws are that prevalent to actually make a difference?

  7. #17
    Join Date
    Jun 2011
    Location
    Atlanta Georgia
    Beans
    1,771
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: Unknown IP Uploads

    Alot of sites use aws to host at least a portion of their content. I suppose as long as you only block some vps ips it wont be that bad. But if you hit a tld or load balancer it might cause issues.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •