OVH Community, your new community space.

Automated reporting of hacking or exploit attempts


RimBlock
15-04-2010, 04:39
Hi Gregory,

I see the script is coming on by leaps and bounds.

I personally prefer a collection of small funtional scripts to one large one and was just suggesting having a config file which can be sources at the begining of each individual script. The technique allows for possible reuse of the seperate functional scripts for other 'projects'. Different people, different preferences . How about putting the code chunks in to functions called from the case statement. A good overview here. Makes it easier to read and easier to amend than a solid block of code .

You beat me to the WHITELIST . Whilst playing with setting my host firewall rules last night it occured that a whitelist would be good to prevent you locking yourself out. Glad to see you had the same thought.

Going through the code there is one part that screams "Danger Will Robinson!...".

It is the woot lock section;
if [ -e "$WOOTLOCK" ]; then
#w00t may already be running, terminate process
ls "$WOOTLOCK"
line=`$CAT "$WOOTLOCK"`

if [ "$line" != "" ]; then
$KILL -9 "$line" >> /dev/nul
$RM $WOOTLOCK
fi
fi
Not sure why the ls command but I would guess you are redirecting STOUT to a log file or running from a terminal session.

It is the killing the PID in the wootlock file. Why this sets alarm bells ringing is due to the fact that the script may have previously exited abnormally and left a wootlock file floating around containing a PID which may have been reused by another process after the script died. Net effect, you could end up killing a process you have no wish to or if someone gets in to the system and is able to edit the wootlock file, they can get your script to kill your entire server (although I am sure file permissions and running the script as a user rather than root should prevent that).

Why not take the output from the PS command to feed the kill and pref. a straight kill rather than a -9. Move to the -9 if you have a hang and the straight kill fails rather than defaulting to it. Using the PS ensures, if the grep is targeted enough, that you will kill a running process associated with the script and not just any old PID left in a file. The file can still be used as a flag to denote a check for the pid is needed. I personally love flag files / db flags in tables and 'sweep' scripts / procs as a good control method.

The next question would be, why is it being killed. Would it not be better to allow it to complete. How about having a datestamp and a count in the wootlock file. You could check the wootfile for the date/time and count. pause for 10 seconds then check again. If it has not changed then kill it. If it is changing then let it be and report it is already processing.

Better still, why not set a lock file at the start of the script regardless of the function you are asking the script to perform and rather than just exiting when finished, go to an exit function which takes the exit value and removes the script lock file before translating the exit code and reporting exit reason to a log file and then exits with the status code. The exit function is generic and can be used by all the code chunks / functions. Again, to get the best effect, you would need to log to a log file from within the script

Adding a LOG2FILE variable and setting it to 1 or 0 (yes or no) then having an 'if' check and redirecting STDOUT and STDERR to a LOGFILE (pref with a date stamp in the filename) by doing;

exec 1>> "$LOG_FILE" #Redirect STDOUT to a logfile
exec 2>> "$ERR_LOG_FILE" #Redirect STDERR to a logfile
If unset then it STDOUT and STDERR can just go to the console/terminal.

You could even have another check for the size of the ERR_LOG_FILE and have it automatically email you if there is a script error.

Ok, last thought. You could also have a DONOTRUN variable which denotes that the script should not be run and an if statement to exit if this is set at the beginning of the script. This would lock out the script at script level rather than having to amend the crontab to stop it running. You could go more granular and have variables for locking out script functions so you could lock out the 'ban' function but keep the 'checkiptables' function active.

Might also be worth thinking about stepping back and putting together a proper design on paper etc rather than correcting and fixing and expanding 'on the fly' which if you are anything like me and the majority of programmers out there is whayt you will be doing. Most programmers hate paperwork including me .

Pheww. Lots to read and ether work with or ignore .

Cheers
RB

gregoryfenton
14-04-2010, 20:53
The below script is available at http://labby.co.uk/logfunctions

From your suggestions I have made all the scripts into one bash file which handles everything as they are all related.

usage:
logfunctions AAA BBB [CCC..ZZZ]

example: to ban an IP
logfunctions ban IP

to monitor log (run at system startup):
logfunctions w00t

to stop monitoring:
logfunctions w00t stop

to mail OVH with OVH based IPs looking for exploits (run as daily cron job):
logfunctions mailovh

to scan banned IPs to check if they are due to be unbanned (run as cron job - hourly? daily?):
logfunctions checkiptables


filename: logfunctions
Code:
#!/bin/bash
#
#This script is a wrapper for a number of other scripts contained inside it.
#
#Usage: $0 scriptname [parameters]
#Allowed scriptnames [parameters]:
# ban [ip] [text]
# checkiptables
# mailovh
# w00t [stop]

#error $? returned:
# 0 no errors
# 1 no scriptname passed
# 2 invalid scriptname passed
# 10 or higher:
#  first value denotes executed script, last number denotes return value
#  example: 17: script 1, return value 7
#  example: 32: script 3, return value 2
#  values higher than 99:
#  example: 154: script 15, return value 4
# 10: ban: no errors
# 11: ban: no IP passed
# 12: ban: whitelisted IP passed
# 13: ban: localhost|127.0.0.1 passed
# 14: ban: new IP found to ban
# 15: ban: new OVH IP found to report and ban
# 16: ban: new OVH IP found but no log line - not reporting to OVH
# 17: ban: IP is already banned
# 20: checkiptables: no errors
# 21: checkiptables: unable to delete $OUTFILE
# 22: checkiptables: IPs are still being banned
# 23: checkiptables: no IPs are being banned
# 30: mailovh: no mail to send to OVH
# 31: mailovh: OVH log file exists but has no lines
# 32: mailovh: OVH log file exists and mail sent to OVH
# 40: w00t: no errors
# 41: w00t: shutdown running process
#100+: exited out of case without exiting the script - unhandled exit, remove 100 to get the actual code

#systemwide variables:
BANLENGTH="1 week"
BANEND=`date +%s --date="$BANLENGTH"`
BANENDTEXT=`date --date="$BANLENGTH"`
D=`date`
DS=`date +%s`
DT=`date +%T`
OVHALL="/var/log/ovh_all.log"
OVHLOG="/var/log/ovh.log"
WWWBANNEDIPS="/var/www/bannedips.txt"
CURRENTBANNEDIPS="/etc/banlist"
OUTFILE="$CURRENTBANNEDIPS"+".tmp"
MONITOR="/var/log/apache2/access.log" #inside the "" add any files you wish to monitor eg /var/log/syslog
WATCHLIST='//skin/ggambo6200_board/error.php?\| GET //pma/\| GET /pma/\| \"GET /w00t.* HTTP/1.1\" 400 [0-9]* \".*\" \".*\"' #can use regex here
WOOTLOCK="/var/lock/w00t.lock"
SERVERIP="ksXXXXX.kimsufi.com (91.121.I.P)"
OUTFILE="/tmp/ovhmail.txt"
OVHMAIL="abuse@ovh.net"
CCMAIL="ovhabuse@yourdomain.co.uk"
FROMMAIL="exploits@yourdomain.co.uk (labby.co.uk monitor)"
OUTSUBJECT="List of OVH based IPs that have attempted to exploit my server $SERVERIP"
WHITELIST="your.home.ip"

#program paths
GREP="/bin/grep"
CAT="/bin/cat"
WHOIS="/usr/bin/whois"
ECHO="/bin/echo"
IPTABLES="/sbin/iptables"
WC="/usr/bin/wc"
AWK="/usr/bin/awk"
CUT="/usr/bin/cut"
CP="/bin/cp"
RM="/bin/rm"
MV="/bin/mv"
TAIL="/usr/bin/tail"
PS="/bin/ps"
SENDMAIL="/usr/sbin/sendmail"
KILL="/bin/kill"


#Main script start
if [ "$#" -lt 1 ]; then
	#no scriptname passed
	$ECHO "$0 scriptname [parameters]"
	RETVAL=1
	exit $RETVAL
fi

case "$1" in
	'ban')
		RETVAL=10
		if [ "$2" == "" ]; then
			$ECHO $0 $1 IP
			$ECHO eg: $0 $1 11.22.33.44
			let RETVAL+=1
			exit $RETVAL
		fi
		IP=$2

		if [ "`$ECHO $WHITELIST | $GREP $IP | $WC -l`" -ne 0 ]; then
			let RETVAL+=2
			exit $RETVAL
		fi
		if [[ "$IP" == "127.0.0.1" || "$IP" == "localhost" ]]; then
			let RETVAL+=3
			exit $RETVAL
		fi

		if [ "`$GREP "$IP" $CURRENTBANNEDIPS | $WC -l`" == "0" ]; then
			$ECHO -ne "\n$DT:IP \"$IP\" not found, banning IP \"$IP\" for $BANLENGTH\n"
			$ECHO "$BANEND $IP" >> $CURRENTBANNEDIPS
			$IPTABLES -A INPUT -s $IP -j DROP
			$ECHO $BANENDTEXT $IP >> $WWWBANNEDIPS
			let RETVAL+=4
			if [ `$GREP "$IP" $OVHALL | $WC -l` -eq 0 ]; then
				if [ `$WHOIS "$IP" | $GREP "^netname:[ ]*OVH$" | wc -l` -ne 0 ]; then
					if [ "$3" -ne "" ]; then						
						$ECHO "OVH IP address, reporting abuse"
						$ECHO -e "vulnerability scan from IP $IP, log entry:\n  $3" >> $OVHLOG
						$ECHO -e "vulnerability scan from IP $IP, log entry:\n  $3" >> $OVHALL
						let RETVAL+=1
					else
						$ECHO "OVH IP address $IP passed but no log line passed on the command line, not reporting to OVH"
						let RETVAL+=2
					fi
				fi
			fi
		else
			let RETVAL+=7
			$ECHO -ne "."
		fi
		exit $RETVAL
	;;
	'checkiptables')
		RETVAL=20
		if [ -e $OUTFILE ]; then
		  rm $OUTFILE
			if [ -e $OUTFILE ]; then
				let RETVAL+=1
				exit $RETVAL
			fi
		fi

		if [ -f $CURRENTBANNEDIPS ]; then
			$CAT $CURRENTBANNEDIPS | while read line; do
				DA=`$ECHO $line | $AWK '{ print $1 }'`
				IP=`$ECHO $line | $CUT -f2- -d' '`
				$ECHO "Checking $l"
				$IPTABLES -D INPUT -s "$IP" -j DROP
				$ECHO "$D:$DA"
				if [ $D -ge $DA ]; then
					# delete rule
					$ECHO "IP $l released from iptables drop"
				else
					# ban ip
					$ECHO $line>>$OUTFILE
					$ECHO "IP $l remains banned from this server"
					$IPTABLES -A INPUT -s "$l" -j DROP
				fi
			done
			if [ -e "$OUTFILE" ]; then
				$MV -f "$OUTFILE" "$CURRENTBANNEDIPS"
				let RETVAL+=2
			else
				$RM "$CURRENTBANNEDIPS"
				let RETVAL+=3
			fi
		fi

		exit $RETVAL
	;;
	'mailovh')
		RETVAL=30
		if [ -f $OVHLOG ]; then
			let RETVAL+=1
			WCT=`$WC -l < $OVHLOG` 2> /dev/nul
			if [ $WCT -gt 1 ]; then   
				$ECHO "to: $OVHMAIL
cc: $CCMAIL
subject: $OUTSUBJECT
from: $FROMMAIL
date $D

Sirs
The following is an extract of my system log showing recent exploit attempts on my server from IPs that have \"^NETWORK:[ ]*OVH\$\" in the IP whois.
Please note that each IP should appear only once across all emails sent to you so this will be your only notification of the IP information.
Should you require any assistance at all please do not hesitate to reply to this email as the account is monitored.
Thank you for reviewing this log and acting as required.

Administrator,
$SERVERIP

" > $OUTFILE
				$CAT -n $OVHLOG>>$OUTFILE
				$ECHO "">>$OUTFILE
				$SENDMAIL -t < $OUTFILE
				# the following line adds a marker to to main OVH log file
				$ECHO "===== Above mailed to $OVHMAIL on $D =====" >> $OVHALL
				let RETVAL+=1
			fi
			## the following line deletes the log file so you are not spamming OVH
			$RM $OVHLOG $OUTFILE
		else
			$ECHO "No OVH based attacks are logged, no need to mail OVH"
		fi
		exit $RETVAL
	;;
	'w00t')
		RETVAL=40
		if [ -e "$WOOTLOCK" ]; then
			#w00t may already be running, terminate process
			ls "$WOOTLOCK"
			line=`$CAT "$WOOTLOCK"`
			
			if [ "$line" != "" ]; then
				$KILL -9 "$line" >> /dev/nul
				$RM $WOOTLOCK
			fi
		fi
		if [ "$2" == "stop" ]; then
			let RETVAL+=1
			exit $RETVAL
		fi
		PID=0
		$TAIL -n +1 -f "$MONITOR" | $GREP --line-buffered "$WATCHLIST" | while read line; do
			IP=$( $ECHO $line | $AWK '{ print $1 }' )
			$0 ban "$IP" "$line"
			if [ "$PID" == "0" ]; then
				PID=`$PS au | $GREP "$TAIL -n +1 -f $MONITOR" | $AWK '{ print $2 }'`
				$ECHO $PID | $AWK '{ print $1 }' > "$WOOTLOCK"
			fi
		done
		exit $RETVAL
	;;
	*)
		#no scriptname passed
		$ECHO "$0 scriptname [parameters]"
		RETVAL=2
		exit $RETVAL
	;;
esac

# In theory we should never get this far
let RETVAL+=100
exit $RETVAL

RimBlock
14-04-2010, 16:18
Glad to be able to help.

I can see why you would prefer not to block and report from the firewall as it can be a nightmare to get the rules right especially if you are automating it.

What you may also like to think about is setting up a 'core' config file which you can source at the beginning of all of the scripts.

THis then gives you a single point where you would need to change things like DATAFILE, OUTFILE, IPTABLES_PATH, APACHE_LOG and the whole host from the mailovh script. Single point of change propagates down to all the scripts. Makes maintenance simpler. You could also set 'flags' for which log files you wish to do check on and so turn multiple log checking with a flick of a flag variable.

Regards
RB

gregoryfenton
14-04-2010, 12:03
I have thought about this, I may do
Code:
tail -f -n -1 logfile1 logfile2 logfile3 | while read line; do
and do grep inside the loop which will allow me to scan for multiple vulnerabilities simultaneously.

I have been watching syslog over the past couple of days, this file shows quite a lot of very unusual activity too such as failed root ssh logins.

The old adage of "two heads are better than one" is definitely proving to be a valid one.

RimBlock
14-04-2010, 04:18
Great,

That should help to slow down the build up of firewall rules.

One other thing I noticed is that you have a few informative 'echo' statements that are good if the scripts are run ad-hoc but when automated, will be going nowhere as there is no log file set. Of course setting a log file would also mean needing to house keep the same log(s) unless the user has a system wide housekeeping 'process' in place for log files.

Looking good although it is still pretty targetted (single exploit check against a single process, the web server). Any thoughts of expanding it to cover more or is this just filling in a hole not covered by other tools on your systems(s) ?

Cheers
RB

gregoryfenton
12-04-2010, 14:48
I am rewriting the scripts.

You will need to remove or # out the lines in /etc/rc.local that start "iptables " to prevent any potential issues from arising.

Changes are:

a new script "checkiptables" has been written that should be run (daily|hourly) as a cron job which removes stale IP addresses more than 7 days old thus allowing access from old banned IPs and ensuring the iptables records are kept current

/etc/rc.local will not contain IPs, they will be stored in a datafile /etc/banlist which is populated by "ban" and pruned by "checkiptables"

---------------------------------------------------

file checkiptables
Code:
#!/bin/bash
DATAFILE=/etc/banlist
OUTFILE=$DATAFILE.tmp
if [ -e $OUTFILE ]; then
  rm $OUTFILE
fi

if [ -f $DATAFILE ]; then
  D=`date +%s`
  DW=$(( $D+604800 ))
  cat $DATAFILE | while read line; do
    DA=`echo $line | awk '{ print $1 }'`
    l=`echo $line | cut -f2- -d' '`
    echo "Checking $l"
    /sbin/iptables -D INPUT -s "$l" -j DROP
    echo "$D:$DA"
    if [ $D -ge $DA ]; then
      # delete rule
      echo "IP $l released from iptables drop"
    else
      # ban ip
      echo $line>>$OUTFILE
      echo "IP $l remains banned from this server"
      /sbin/iptables -A INPUT -s "$l" -j DROP
    fi
  done
  if [ -e $OUTFILE ]; then
    rm $DATAFILE
    mv $OUTFILE $DATAFILE
  fi
fi
updated file ban
Code:
#!/bin/bash
#exit
if [ "$1" == "" ]
   then
       echo $0 IP
       echo eg: $0 11.22.33.44
       exit
fi
if [ "$1" == "127.0.0.1" ]
   then
       exit
fi

if [ "`grep "$1" /etc/banlist | wc -l`" == "0" ]
then
    echo -ne "\n`date +%T`:IP \"$1\" not found, banning IP \"$1\" for 1 week\n"
    D=`date +%s`
    DW=$(( $D+604800 ))
    echo "$DW $1" >> /etc/banlist
    /sbin/iptables -A INPUT -s $1 -j DROP
    echo $(date) $1 >> /var/www/bannedips.txt
    echo $(date) $1
    if [ `whois $1 | grep "^netname:[ ]*OVH$" | wc -l` -ne 0 ]
    then
        echo "OVH IP address, reporting abuse"
        echo -e "vulnerability scan from IP $1, log entry:\n  $2" >> /var/log/ovh.log
        echo -e "vulnerability scan from IP $1, log entry:\n  $2" >> /var/log/ovh_all.log
    fi
else
    echo -ne "."
    #echo -ne "$1 already exists, skipping\n"
fi

RimBlock
12-04-2010, 06:21
Quite a nice setup and it should be easy to modify to query OpenVZ containers to compile a list which the host can send of any attempts against a persons VPS's and the host.

A few of points that may be worth mentioning for anyone not so well versed in shell scripting;

The scripts are checking in the Apache logs for instances of "w00t" on a call to the web server like;

213.251.134.23 [16/Nov/2008:07:43:58] "GET /w00tw00t.at.ISC.SANS.DFind HTTP/1.1" 400
This is commonly used in scanners looking for ways in to a system. The script is not checking at a UNIX level for anyone trying to get in.

The scripts are blocking individual IP addresses which will result in a potentially massive ruleset for IPTables.

The scripts are not unblocking any IP addresses so it is a 'one time caught and your IP is banned forever', even if that IP is assigned to another machine in the future or the original machine was compromised and has been fixed.

Whilst not in front of a Linux box at the moment so I cannot test it, another way may be following this guide and blocking at the firewall but logging ip's blocked using the ipt_recent module. Without being able to find an example of the modules output, it seems that it logs time, IP and attempt count.

The w00t script could be amended to keep a running log of the IP's added to the firewall file (as they are removed after a certan time).

The mailOvh script could then pick up the log file from the firewall and pass it to Ovh.

Another option would be to combine the above IPTables guide with getting IPTables to log before it drops the packet, rather than using the ipt_recent file, as described here. By using a specific prefix on the logged entries, the mail script should be able to pull them out and format them fairly easily. Check the articles comments as setting log-level to debug seems to work best or just log to the standard system log file and parse it using your defined prefix in the w00t script.

Good scripts that do what you want and hopefully the suggestions / guides above could make them even better .

Cheers
RB

IainK
11-04-2010, 18:59
You the man

gregoryfenton
11-04-2010, 18:12
There are 3 scripts I use, it would be trivial to modify them to your own server's config

I hope these help somebody

I run w00t at system startup
ban is automatically run by w00t or manually if the situation arises
I run mailovh in a cron job once a day



script 1
filename: w00t
Code:
#!/bin/bash
tail -n +1 -f /var/log/apache2/access.log | grep --line-buffered " \"GET /w00t.* HTTP/1.1\" 400 [0-9]* \".*\" \".*\"" | while read line; do
 ip=`echo $line | awk '{print $1}'`
 ban "$ip" "$line"
done
script 2
filename: ban
Code:
#!/bin/bash
if [ "$1" == "" ]
   then
       echo $0 IP
       echo eg: $0 11.22.33.44
       exit
fi

if [ "$1" == "127.0.0.1" ]
   then
       exit
fi

if [ "`grep "$1" /etc/rc.local | wc -l`" == "0" ]
then
echo -ne "\n`date +%T`:IP \"$1\" not found, permanently banning IP \"$1\"\n"
echo "iptables -A INPUT -s $1 -j DROP" >> /etc/rc.local
/sbin/iptables -A INPUT -s $1 -j DROP
echo $(date) $1 >> /var/www/bannedips.txt
echo $(date) $1
if [ `whois $1 | grep "^netname:[ ]*OVH$" | wc -l` -ne 0 ]
    then
        echo "OVH IP address, reporting abuse"
        echo -e "vulnerability scan from IP $1, log entry:\n  $2" >> /var/log/ovh.log
        echo -e "vulnerability scan from IP $1, log entry:\n  $2" >> /var/log/ovh_all.log
fi
else
echo -ne "."
#echo -ne "$1 already exists, skipping\n"
fi
script 3:
filename: mailovh
Code:
#!/bin/bash
#
# read log file, mail the contents, delete log file
#
INFILE="/var/log/ovh.log"
TOMAIL="abuse.ovh.net"
CCMAIL="ovhabuse@labby.co.uk"
FROMMAIL="exploits@labby.co.uk (labby.co.uk monitor)"
OUTFILE="/tmp/ovhmail.txt"
SERVERIP="91.121.5.142"
OUTSUBJECT="List of OVH based IPs that have attempted to exploit my server $SERVERIP"

if [ -e $INFILE ]
  then
    echo "to: $TOMAIL
cc: $CCMAIL
subject: $OUTSUBJECT
from: $FROMMAIL
date $(date)

Sirs
The following is an extract of my apache server log showing recent exploit attempts on my server from IPs that have \"^NETWORK:[ ]*OVH\$\" in the IP whois.
Please note that each IP should appear only once across all emails sent to you so this will be your only notification of the IP information.
Should you require any assistance at all please do not hesitate to reply to this email as the account is monitored.
Thank you for reviewing this log and acting as required.
Administrator, $SERVERIP
">$OUTFILE
    cat $INFILE>>$OUTFILE
    echo "">>$OUTFILE
    cat $OUTFILE
    sendmail -t < $OUTFILE
    ## the following line deletes the log file so you are not spamming OVH
    rm $INFILE $OUTFILE
  else
    echo "log file does not exist, no need to mail OVH"
fi

gregoryfenton
11-04-2010, 17:19
I just reinstalled my server so am revisiting this thread.

I have rewritten the script, now it will whois the IP and grep for "network:[ ]*OVH$".

On a match it puts the IP and log line into a file and once a day (if in the past day an OVH-based attack has occurred) it will mail the file contents to OVH abuse.

I will up the scripts when I have tidied them up.

Thanks 91.121.141.107 for reminding me of this thread.

fozl
14-01-2010, 17:49
Quote Originally Posted by IainK
Haha good stuff. I just automate everything that I would normally do, sit back, and wait for the server to break until then she doesn't need me
fixed for ya

IainK
14-01-2010, 17:18
Haha good stuff. I just automate everything that I would normally do, sit back, and wait for the server to break until then he doesn't need me

gregoryfenton
14-01-2010, 15:27
Thanks, I am already quite adept at bash so mail isn't a problem.

My server already sends me mails to remind me of tasks I always forget such as taking the bin out for collection \o/

IainK
14-01-2010, 15:11
I'm assuming you want to write this script in something simple, such as bash script, rather than C. If you want to send e-mail with bash then this may be of help to you:
http://theos.in/shell-scripting/send-mail-bash-script

It's actually pretty easy The hardest part will be parsing those log files but if you are already parsing them using system commands rather than just using a text editor then you have your code

gregoryfenton
14-01-2010, 14:10
The (as yet nonexistant) script would not report the same IP multiple times - rather it would have a list of reported IPs and scan that log, only sending if the IP does not previously exist.

As for a digest again this would not pose a problem - I could do it as a daily cron job.

When I write the code (a triviality) I will add it to this thread.

fozl
13-01-2010, 14:45
No need to become a force-multiplier for DDoS an SPAM right?

Neil
13-01-2010, 13:58
Quote Originally Posted by gregoryfenton
Hi

If I run a cron job that scans for hack attempts and exploits is it acceptable to automatically parse for OVH/kimsufi servers and fire off emails reporting the offending IP and the log entry (without human intervention)?

I have had a number of ovh/kimsufi based attacks and usually report them manually but doing it automatically means the reports are nearly realtime rather than 2 weeks later when I happen to be checking my logs.
Hi

It depends on the number of emails we are talking about... If it is going to keep sending the same IP then this could be a problem, if it could only send the IP Once (with logs) or maybe a daily email summarising the attacks that would be best.

gregoryfenton
13-01-2010, 13:43
Hi

If I run a cron job that scans for hack attempts and exploits is it acceptable to automatically parse for OVH/kimsufi servers and fire off emails reporting the offending IP and the log entry (without human intervention)?

I have had a number of ovh/kimsufi based attacks and usually report them manually but doing it automatically means the reports are nearly realtime rather than 2 weeks later when I happen to be checking my logs.