Infiltrated dot Net

Rather than waste my time speaking about Netrake NCites, if you don't know what they are, what they do, then you'd be wasting your time on this post. On the other hand, you could also take the information here for what its worth and figure out a new trick or two on blocking VoIP based attacks for *nix based machines. For those ITSP providers who are using Netrake nCites and who want to parse out potential attackers via their SBC's, the following has become helpful for me. After logging into your SBC (not EMS) via ssh, change directories to /usr/local/netrake/mp/logs. The majority of alerts you need to weed out are in AlarmManager.log with the IDs being 9416 and 9442

cd /usr/local/netrake/mp/logs
mkdir /tmp/NetrakeAttacks
grep "Unknown Customer" AlarmManager.log | awk '/9416|9442/{print $27}' | sort -u |\
awk -F / '{print $1}' | sort -u | while read these ; do echo "grep $these AlarmManager.log |\
awk '/9416|9442/{print \$11,\$21,\$22,\$23,\$27}' > /tmp/NetrakeAttacks/$these" | sh ; done


This will print out the information in the following format:

nCite_1 NetrakeAttacks # more 115.85.44.202
2011-01-05 05:26:20:00.0 Sender Authentication Failure: 115.85.44.202/0


If you're running managed PBXs behind any of these, you could script something like this to send data to a repository, have your managed PBXs download this and create rules. While nCite's do have iptables on the machines, I don't suggest throwing hundreds if not thousands of IPs on the SBC itself. Remember, the SBC will have to process data coming in and going out as is, let alone to sort through hundreds or thousands of rules. Anyhow, a simple method to create a distributed based firewall rule behind your ITSP would be to parse out the attackers, send those attackers' addresses to a trusted site, have that trusted site create a rulebase and push it back out via say cron.

grep "Unknown Customer" AlarmManager.log |\
awk -F "/" '/9416|9442/{print $1}' |\
awk '{print "iptables -A INPUT -s "$27" -j DROP"}' |\
sort -u > /path/to/be/downloaded/by/other/linuxservers/rules

 

That will save all iptables rules to /path/to/be/downloaded/by/other/linuxservers/rules what you do with those rules is up to you.

 

J. Oquendo / sil