Terminus Logo  Secured by phpPhobos

Shadow Family   
  Login  - No Account?  Create One   
Search 
 Friday, 26 April 2024  -
News FeedRSS Feed
rss rdf  
  Home 
  Authentication 
 Documentation 
    Site Documentation 
    About me 
  Legal Notice 
 Applications 
    Web Links 
 Hobbies 
    RC Models 
    RC Batteries 
    Build blogs 
 Modules 
    Downloads 
    Weblinks 
 Blacklists 
    Blacklist 
    Blockout 
    DNS Blacklist 
 Registered Bloggers 
  Joerg's Blog 
 Gallery [Listing]
  > Diving 
  > Steampunk 
  > RC Planes 
  > FPV Drones 
  > Indy travels 
 FAQ  [ Topics  ]
 Common Linux problem... 
 Routerboard RBxxxAH 
 Apple Mac-mini 
 PHP Phobos 
 Stargate's Backup sc... 
 eBook Reader / PRS-5... 
 RC Models 
 Server in SolLan 
Question ? Blacklist IP through phpAPI and terminate active connections   [
View DetailsView details
 |
Print ViewPrint view
 ]

 Having a self-defending (Passive) web-site, I noticed that executing a script to actually close a firewall takes too long if the attack onto the website is executedthrough parallel requests.
Even though one can limit the WebServer and the firewall to allow only a certain number of communication channels in, it is not enough - as firewalls tend to let pass already opened sessions. This part will require the firewall to actively terminate open connections from the offending IP Address.
This is exactly what the attached script does. It uses the routerOS phpAPI to connect to the firewall and directly lock (during the request) the remote IP out and at the same time terminate all open connections that may be coming from that IP.
This script is just an example on how to do it. Everyone can adapt it for himself.

Note: The attached script is just a prototype. On my site it has been integrated into a function and is called on demand.

Results are as follow [IP does not exist in blacklist yet]: 

 > Entered IP 10.10.10.246 into blacklist 
   - Removed active connection *8D41 [10.10.10.246:62000 -> 172.168.0.2:80] 
   - Removed active connection *8D4D [10.10.10.246:62001 -> 172.168.0.2:80] 
   - Removed active connection *8D55 [10.10.10.246:3000 -> 172.168.0.2:53] 
   - Removed active connection *8D59 [10.10.10.246:61997 -> 172.168.0.2:80] 
   - Removed active connection *8D5B [10.10.10.246:61999 -> 172.168.0.2:80] 
   - Removed active connection *8D62 [10.10.10.246:61996 -> 172.168.0.2:80] 
   - Removed active connection *8D75 [10.10.10.246:61998 -> 172.168.0.2:80]


Results are as follow [IP does exist in blacklist]: 

 !!! failure: already have such entry in firewall [IP 10.10.10.246]
   - Removed active connection *8C7A [10.10.10.246:61921 -> 172.168.0.2:80] 
   - Removed active connection *8C7B [10.10.10.246:61920 -> 172.168.0.2:80] 
   - Removed active connection *8C7C [10.10.10.246:61919 -> 172.168.0.2:80] 
   - Removed active connection *8C7D [10.10.10.246:61918 -> 172.168.0.2:80] 
   - Removed active connection *8C7E [10.10.10.246:61923 -> 172.168.0.2:80] 
   - Removed active connection *8C7F [10.10.10.246:61922 -> 172.168.0.2:80]

 
Entered by admin on Friday, 22 April 2016 @ 15:47:34  
Linux on Routerboards - Routerboard RBxxxAH, # Hits: 29802

Attach   blacklist_terminate.php  [ 3,487 bytes - application/octet-stream ]
  Back Back  
 
Problems to  webmaster(-AT-)solsys(-DOT-)org  - best viewed @ 1920bpp
This site is powered by phpPhobos v2.0b446
© J. Mertin smurphy(-AT-)solsys(-DOT-)org 
Icons - Copyright Breeze artists GPL 2+