Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14

Thread: How to block attackers automatically with /etc/hosts.deny (Different Services)

  1. #1
    Junior Member
    Join Date
    Mar 2012
    Location
    Panama City, Panama.
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default How to block attackers automatically with /etc/hosts.deny (Different Services)

    Hi all,

    I have been reading quite a lot about security, best security practices and so on BUT, i have not found something, and was hoping a bunch of guys with experience can throw some advise regarding the matter.

    Changing SSH Port to a non-standard port blocks 90% of attacks in my experience. Not too many guys are "targeting" you, so they don't bother checking the rest of the ports to see which port is listening for SSH or any other sensitive service.
    A person with enough interest or determination WILL figure out what port is listening, and eventually launch an attack. Example: running nmap -p- -sV -O <target-IP>

    So you have taken the necessary measures to protect ssh, but what about other services?
    If you are - like me - running more than one service on a single server, then they can be attacked as well.

    I have a Container where i run a mail rely server, ssh server (obviously) and an vsftp server.
    Going trough the logs of vsftp today, i saw at least 500 login attempts from one SINGLE IP address. SO

    I know it can be done, just don't know how to.

    1- What needs to be setup to monitor the logs on the server, and make sure that after 3 failed login attempts, the attacking IP is "AUTOMATICALLY" added to /etc/hosts.deny
    2- Make sure the service runs as daemon, not a cron job. If someone has it already running as a cron job, advise will be appreciated.
    3- Block the attacking IP's forever.
    4- Maybe a script used to grep logs out and filter only the IP's with certain amount of login attempts, then add this IP's to hosts.deny.
    5- I assume the process is the same for every service, as the logs are pretty much the same. Maybe the only things that would change are the lines to grep out???

    Any help will be much appreciated.

    Regards,

  2. #2
    Senior Member Rahul.Patil's Avatar
    Join Date
    Feb 2012
    Location
    Mumbai india
    Posts
    486
    Thanks
    10
    Thanked 50 Times in 47 Posts
    Rep Power
    8

    Default

    i have tried with ssh service


    HTML Code:
    #!/bin/bash
    # if 3 Failed password then add thos ip's in /etc/host.deny
    
    FAIL_IP_LOG="/tmp/failiplog"
    FAIL_IP_LIST="/tmp/failiplist"
    CHECK () {
    tail -n20 /var/log/secure | awk '$6 ~ /Failed/ {print $11}' | uniq -c > $FAIL_IP_LOG
    awk '($1 > "3") {print $2}' $FAIL_IP_LOG > $FAIL_IP_LIST
    }
    
    
    CHECK
    
    while read IP
    do
    
    grep "${IP}" /etc/hosts.deny  >/dev/null 2>&1
    STATUS=$?
            if [ "$STATUS" -eq 0 ]; then
            echo "IP: ${IP} already added in hosts.deny"
            else
            echo "IP: ${IP} more than 3 Failed login attempt"
            echo "sshd: ${IP}" >> /etc/hosts.deny
            fi
    
    done < $FAIL_IP_LIST
    
    
    Last edited by Rahul.Patil; 19th April 2012 at 06:58 PM. Reason: some required changes in script

  3. #3
    Junior Member
    Join Date
    Mar 2012
    Location
    Panama City, Panama.
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Rahul,

    First of all, thank you for the time you have taken to help with this, not just me, but am sure there are a bunch of people looking for the same.

    I have a question though: in the 7th line, you include <tail-n20 /var/log/secure>
    Wont this read only 20 lines?

    I am by no means a script pro, so if you can clarify this, it would be great.

    Thanks again.

    Ezequiel

  4. #4
    Senior Member Rahul.Patil's Avatar
    Join Date
    Feb 2012
    Location
    Mumbai india
    Posts
    486
    Thanks
    10
    Thanked 50 Times in 47 Posts
    Rep Power
    8

    Default

    Hi,
    I have a question though: in the 7th line, you include <tail-n20 /var/log/secure>
    Wont this read only 20 lines?
    it will be check recent 20 latest lines in log file

  5. #5
    Junior Member
    Join Date
    Mar 2012
    Location
    Panama City, Panama.
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Rahul,

    Thanks again.
    I assume, then i have to run this on a cron job every few hours or so?
    If not, i can simply modify that and have it analyze the last 1000 lines and have it run once a day?

    Again dude, thanks a lot for this. Helps a LOT

    Ezequiel

  6. #6
    Senior Member Rahul.Patil's Avatar
    Join Date
    Feb 2012
    Location
    Mumbai india
    Posts
    486
    Thanks
    10
    Thanked 50 Times in 47 Posts
    Rep Power
    8

    Default

    Yes, you can do that, but i would suggest you to test this script in any test(VM) machine first

  7. #7
    Junior Member
    Join Date
    Mar 2012
    Location
    Panama City, Panama.
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Rahul,

    Am doing that right now, not sure why but is not getting there.
    Maybe you wanna give it a try in the VM itself?

    I can create one for you just for testing, let me know

    Ezequiel

  8. #8
    Senior Member Rahul.Patil's Avatar
    Join Date
    Feb 2012
    Location
    Mumbai india
    Posts
    486
    Thanks
    10
    Thanked 50 Times in 47 Posts
    Rep Power
    8

    Default

    Hi,
    i have tested this script in Centos 5.7
    make sure syslog service is running on your system and check following entry in /etc/syslog.conf
    HTML Code:
    authpriv.*	/var/log/secure

  9. #9
    Junior Member
    Join Date
    Mar 2012
    Location
    Panama City, Panama.
    Posts
    15
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Default

    Hey Man,

    Thank you for the tip.
    I am running a 5.7 Centos VM, and NO syslog is present.

    I have updated the OS and included the EPEL repositories to the VM, still, no syslog was to be found.
    Then i issued the command yum install syslogd and it told me i had RSYSLOG.

    I then went to its config file and found the entry you were referring to:

    # The authpriv file has restricted access.
    authpriv.* -/var/log/secure

    This is in the /etc/rsyslog.conf file.

    Can the script work with this version of syslog?

    Regards,

    Ezequiel

  10. #10
    Senior Member Rahul.Patil's Avatar
    Join Date
    Feb 2012
    Location
    Mumbai india
    Posts
    486
    Thanks
    10
    Thanked 50 Times in 47 Posts
    Rep Power
    8

    Default

    Hi,
    root@ubuntu:~# cat /etc/rsyslog.d/50-default.conf | grep auth
    auth,authpriv.* /var/log/auth.log
    rsyslog service store auth logs in /var/log/auth.log , you need to use this log file in script instead of /var/log/secure.log
    then you can use same script after replacing path of log file.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. NGINX: Block files and extensions with deny all
    By nixGeek in forum Web servers
    Replies: 4
    Last Post: 16th October 2011, 04:32 AM
  2. deny arpspoof using iptables
    By empik in forum Networking, Firewalls and Security
    Replies: 0
    Last Post: 6th November 2010, 05:03 PM
  3. SSH vs. Hosts.Allow!
    By cryingthug in forum Networking, Firewalls and Security
    Replies: 1
    Last Post: 6th June 2010, 02:31 PM
  4. Linux howto allow or deny access by IP address
    By goku in forum Linux software
    Replies: 1
    Last Post: 10th July 2006, 07:44 PM
  5. Sendmail control incoming email to accept, deny, or relay
    By jerry in forum All about FreeBSD/OpenBSD/NetBSD
    Replies: 1
    Last Post: 22nd June 2006, 01:39 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •