Thread: How to block attackers automatically with /etc/hosts.deny (Different Services)

Hi all,

I have been reading quite a lot about security, best security practices and so on BUT, i have not found something, and was hoping a bunch of guys with experience can throw some advise regarding the matter.

Changing SSH Port to a non-standard port blocks 90% of attacks in my experience. Not too many guys are "targeting" you, so they don't bother checking the rest of the ports to see which port is listening for SSH or any other sensitive service.
A person with enough interest or determination WILL figure out what port is listening, and eventually launch an attack. Example: running nmap -p- -sV -O <target-IP>

So you have taken the necessary measures to protect ssh, but what about other services?
If you are - like me - running more than one service on a single server, then they can be attacked as well.

I have a Container where i run a mail rely server, ssh server (obviously) and an vsftp server.
Going trough the logs of vsftp today, i saw at least 500 login attempts from one SINGLE IP address. SO

I know it can be done, just don't know how to.

1- What needs to be setup to monitor the logs on the server, and make sure that after 3 failed login attempts, the attacking IP is "AUTOMATICALLY" added to /etc/hosts.deny
2- Make sure the service runs as daemon, not a cron job. If someone has it already running as a cron job, advise will be appreciated.
3- Block the attacking IP's forever.
4- Maybe a script used to grep logs out and filter only the IP's with certain amount of login attempts, then add this IP's to hosts.deny.
5- I assume the process is the same for every service, as the logs are pretty much the same. Maybe the only things that would change are the lines to grep out???

Any help will be much appreciated.

Regards,

i have tried with ssh service

HTML Code:

#!/bin/bash
# if 3 Failed password then add thos ip's in /etc/host.deny

FAIL_IP_LOG="/tmp/failiplog"
FAIL_IP_LIST="/tmp/failiplist"
CHECK () {
tail -n20 /var/log/secure | awk '$6 ~ /Failed/ {print $11}' | uniq -c > $FAIL_IP_LOG
awk '($1 > "3") {print $2}' $FAIL_IP_LOG > $FAIL_IP_LIST
}


CHECK

while read IP
do

grep "${IP}" /etc/hosts.deny  >/dev/null 2>&1
STATUS=$?
        if [ "$STATUS" -eq 0 ]; then
        echo "IP: ${IP} already added in hosts.deny"
        else
        echo "IP: ${IP} more than 3 Failed login attempt"
        echo "sshd: ${IP}" >> /etc/hosts.deny
        fi

done < $FAIL_IP_LIST

Rahul,

First of all, thank you for the time you have taken to help with this, not just me, but am sure there are a bunch of people looking for the same.

I have a question though: in the 7th line, you include <tail-n20 /var/log/secure>
Wont this read only 20 lines?

I am by no means a script pro, so if you can clarify this, it would be great.

Thanks again.

Ezequiel

Hi,

I have a question though: in the 7th line, you include <tail-n20 /var/log/secure>
Wont this read only 20 lines?

it will be check recent 20 latest lines in log file

Rahul,

Thanks again.
I assume, then i have to run this on a cron job every few hours or so?
If not, i can simply modify that and have it analyze the last 1000 lines and have it run once a day?

Again dude, thanks a lot for this. Helps a LOT

Ezequiel

Yes, you can do that, but i would suggest you to test this script in any test(VM) machine first

Rahul,

Am doing that right now, not sure why but is not getting there.
Maybe you wanna give it a try in the VM itself?

I can create one for you just for testing, let me know

Ezequiel

Hi,
i have tested this script in Centos 5.7
make sure syslog service is running on your system and check following entry in /etc/syslog.conf

HTML Code:

authpriv.*	/var/log/secure

Hey Man,

Thank you for the tip.
I am running a 5.7 Centos VM, and NO syslog is present.

I have updated the OS and included the EPEL repositories to the VM, still, no syslog was to be found.
Then i issued the command yum install syslogd and it told me i had RSYSLOG.

I then went to its config file and found the entry you were referring to:

# The authpriv file has restricted access.
authpriv.* -/var/log/secure

This is in the /etc/rsyslog.conf file.

Can the script work with this version of syslog?

Regards,

Ezequiel

Hi,

root@ubuntu:~# cat /etc/rsyslog.d/50-default.conf | grep auth
auth,authpriv.* /var/log/auth.log

rsyslog service store auth logs in /var/log/auth.log , you need to use this log file in script instead of /var/log/secure.log
then you can use same script after replacing path of log file.