Michael Weber wrote:
Greetings, all!
I have a mail server with swatch examining the log files looking for root.exe, /winnt/system32, etc. The idea is finding anyone who is scanning for root kits on my mail server gets blocked at the mail server and the firewall with an iptables command.
What I have is swatch executing a perl script whenever a match is found on a known bad-guy request. That perl script exec's the iptables, but only if the same IP has not been found in the log file. That way I don't have a bunch of netfilter table entries with the same IP number.
Here's the problem. Script kiddies hit the server so fast the perl
script can't decide the IP number is unique, log the entry and update
netfilter before 10 more copies of the script fire off. I wind up with
10-12 entries in less than a second.
Anyone have a way of quickly determining that another copy of myself is running and I need to shut down? ps -ax | grep <program-name> is far to slow to react to an attack.
Or, am I being stupid and missing the easy answer?
In general this would be handled with a lock file. When the first instance of your script starts it would check for the lock file if it exists then just exit, if it doesn't then it opens a file (.lock for example) then does its processing, and then removes the lock just before exiting. If another instance of the script starts while the lock file exists it will see it and close.
For example:
my $lockfile = '.lock';
exit if (-e $lockfile);
# try to get the pid file...." open(LOCK, ">$lockfile") or die "unable to open lock file: $!"; print LOCK $$; close(LOCK) or die "unable to close lock file: $!";
# do processing here.....
unlink $lockfile or die "unable to remove lock file: $!";
--UNTESTED--
You get the idea....
http://danconia.org
-- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
