Greetings, all! I have a mail server with swatch examining the log files looking for root.exe, /winnt/system32, etc. The idea is finding anyone who is scanning for root kits on my mail server gets blocked at the mail server and the firewall with an iptables command.
What I have is swatch executing a perl script whenever a match is found on a known bad-guy request. That perl script exec's the iptables, but only if the same IP has not been found in the log file. That way I don't have a bunch of netfilter table entries with the same IP number. Here's the problem. Script kiddies hit the server so fast the perl script can't decide the IP number is unique, log the entry and update netfilter before 10 more copies of the script fire off. I wind up with 10-12 entries in less than a second. Anyone have a way of quickly determining that another copy of myself is running and I need to shut down? ps -ax | grep <program-name> is far to slow to react to an attack. Or, am I being stupid and missing the easy answer? I could be wrong, you know. I was wrong once before. ;-) Thanx! -Michael -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
