PDA

View Full Version : Break-In Attempt

bswinnerton
3rd February 2008, 18:12
I have multiple failed break in's (Like 200 in 5 minutes) from the IP address 216.55.165.26

Is there any way to blacklist that IP address from logging into my server (FTP,SSH,ETC), and are there any major blacklisting sites I can add the IP address to?

Thanks
pine1455
3rd February 2008, 18:37
try :
iptables -I INPUT -s 216.55.165.26 -j DROP
iptables-save > /etc/sysconfig/iptables
daveb
3rd February 2008, 19:38
you could try fail2ban and or denyhosts.
bswinnerton
4th February 2008, 00:12
Alright, I noticed that it's a static IP from the web service. Should I tell my ISP or other organizations to add to their blacklists?
till
4th February 2008, 12:58
Instead of blacklisting it, it might be better to inform the ISP were the IP belongs to to take ctions to prevent this. You can lookup the abuse address of the ISP with whois.
bswinnerton
4th February 2008, 14:44
Yes, That has been done.
falko
4th February 2008, 16:05
I have multiple failed break in's (Like 200 in 5 minutes) from the IP address 216.55.165.26

Is there any way to blacklist that IP address from logging into my server (FTP,SSH,ETC), and are there any major blacklisting sites I can add the IP address to?

Thanks
Take a look here: http://www.howtoforge.com/forums/showpost.php?p=38142&postcount=4
wpwood3
4th February 2008, 20:19
If the break-in attempts were on port 25 SSH then you should simply change the default port for SSH.

I run denyhosts and used to get several hack attempts daily on port 25. Denyhosts did it's job but it was constantly blocking hack attempts. Since I changed my default SSH port to something else I have not had a single hack attempt on SSH. I also disabled password login and went to a public key.

Most of the script kiddies try to hack port 25 and rarely look at non-standard ports.

There's lot's of good info in this HowTo:
http://www.howtoforge.com/ssh-best-practices
bswinnerton
6th February 2008, 20:52
This is aimed at this response:

iptables -I INPUT -s 216.55.165.26 -j DROP
iptables-save > /etc/sysconfig/iptables

How do I remove it from iptables?
wpwood3
6th February 2008, 23:30
This is aimed at this response:
How do I remove it from iptables?
Here's the way I would do it:

1) Create a new file named post-rule-setup.sh

2) Put the following in that file:
iptables -I INPUT -s 216.55.165.26 -j DROP

3) Place the file in this new folder:
/etc/Bastille/firewall.d/

4) Restart the Bastille firewall to activate the rule:
/etc/init.d/bastille-firewall restart

To remove the rule is simple:
1) Delete post-rule-setup.sh or remove the rule from that file

2) Restart the Bastille firewall:
/etc/init.d/bastille-firewall restart

You can add as many rules as you want into post-rule-setup.sh just be sure to put each rule on it's own line.

Run iptables -L to see your new rule(s) running in iptables or to confirm that it has been removed.

The benefit of doing it like this is that your rules will remain in effect even if the system is rebooted or Bastille is restarted.
Bvdwiel
9th February 2008, 01:48
I use sshguard happily on my FreeBSD box at home. It's also available for Linux/iptables. It blacklists IP's automatically after a set number of failures to login. You can adjust how many failures within how many seconds it should take before the ip gets blocked and for how long the ip should remain blocked. Works like a charm here!
bswinnerton
14th February 2008, 17:41
Right now i'm using fail2ban and like it so far however I just noticed something kind of odd in the logs and this could be completely normal but would a second set of eyes.

So in my auth.log This happened:

Feb 13 03:11:40 cw-webserver sshd[3833]: Server listening on :: port 22.
Feb 13 03:11:40 cw-webserver sshd[3833]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Feb 13 03:11:45 cw-webserver saslauthd[4162]: detach_tty : master pid is: 4162
Feb 13 03:11:45 cw-webserver saslauthd[4162]: ipc_init : listening on socket: /var/spool/postfix/var/run/saslauthd/mux


and then in the fail2ban.log was this:

2008-02-13 03:11:48,093 fail2ban.jail : INFO Using poller
2008-02-13 03:11:48,158 fail2ban.filter : INFO Created Filter
2008-02-13 03:11:48,158 fail2ban.filter : INFO Created FilterPoll
2008-02-13 03:11:48,159 fail2ban.filter : INFO Added logfile = /var/log/auth.log
2008-02-13 03:11:48,160 fail2ban.filter : INFO Set maxRetry = 6
2008-02-13 03:11:48,165 fail2ban.filter : INFO Set findtime = 600
2008-02-13 03:11:48,166 fail2ban.actions: INFO Set banTime = 600
2008-02-13 03:11:48,182 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
2008-02-13 03:11:48,183 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
2008-02-13 03:11:48,184 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
2008-02-13 03:11:48,185 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
2008-02-13 03:11:48,186 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>


The only reason I thought that this was odd was because they were so close in time together
falko
15th February 2008, 18:57
Feb 13 03:11:40 cw-webserver sshd[3833]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

I'm not sure what's causing this. Is SSH running?
bswinnerton
15th February 2008, 18:58
Yes it is, I use it almost every day.