Dominik said:
I'd like to do a little "somewhat-clever-server-abuse-detection" in
addition to the other firewall stuff.
To do that I need to monitor what connections exists and how much/how
fast they up and download..
Is that possible in general? Using ruby?
I did a little work on this problem in perl once. There are several
aspects to manage, and perl and or ruby can do some of the work.
Allow me to ramble... move along if this doen't interest you.
First you have to detect whatever it is you want to detect. You can
watch logfiles (syslog, firewall, or snort) and parse the results. This
is something perl or ruby can handle, since it's basic regex stuff.
To watch how much traffic and how many connections, it depends on where
you are watching from. You can set up netflows on a cisco network,
parse snmp data from various devices, or to track individual
connections, use ip connection tracking on Linux.
Once a threshold for a given problem was reached, an entry can be made
in a database, and orders given in the database to firewall the
connection. On the firewall(s), a daemon (again, possibly in perl or
ruby) reads the database and exucutes the block.
A connection may be left hanging open, though, which can fill up all
available connections to a server. I found a solution somewhere, though
the implentation never got finished. Using Linux ip connection tracking,
you can spoof a TCP RST packet both ways to close the connection, which
frees up the connection on the server.
In addition to all this, I wanted to have a backoff algorithm that
gradually unblocked IP's, as they may get reassigned to legit people.
If an IP address immediately abuses again, it gets a longer timeout.
I had some perl code that did a lot of this, but it needed reworking,
and now I no longer have access to it. (I'm no longer employed there.)
Ruby could play a large role in such a system, indeed, though it would
also depend on a lot of other systems as well.