Break-In Attempt

Discussion in 'Installation/Configuration' started by bswinnerton, Feb 3, 2008.

  1. bswinnerton

    bswinnerton New Member

    I have multiple failed break in's (Like 200 in 5 minutes) from the IP address 216.55.165.26

    Is there any way to blacklist that IP address from logging into my server (FTP,SSH,ETC), and are there any major blacklisting sites I can add the IP address to?

    Thanks
     
  2. pine1455

    pine1455 New Member

    try :
    iptables -I INPUT -s 216.55.165.26 -j DROP
    iptables-save > /etc/sysconfig/iptables
     
  3. daveb

    daveb Member

    you could try fail2ban and or denyhosts.
     
  4. bswinnerton

    bswinnerton New Member

    Alright, I noticed that it's a static IP from the web service. Should I tell my ISP or other organizations to add to their blacklists?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Instead of blacklisting it, it might be better to inform the ISP were the IP belongs to to take ctions to prevent this. You can lookup the abuse address of the ISP with whois.
     
  6. bswinnerton

    bswinnerton New Member

    Yes, That has been done.
     
  7. falko

    falko Super Moderator ISPConfig Developer

    Take a look here: http://www.howtoforge.com/forums/showpost.php?p=38142&postcount=4
     
  8. wpwood3

    wpwood3 New Member

    Change your SSH port if they're trying to hack port 25

    If the break-in attempts were on port 25 SSH then you should simply change the default port for SSH.

    I run denyhosts and used to get several hack attempts daily on port 25. Denyhosts did it's job but it was constantly blocking hack attempts. Since I changed my default SSH port to something else I have not had a single hack attempt on SSH. I also disabled password login and went to a public key.

    Most of the script kiddies try to hack port 25 and rarely look at non-standard ports.

    There's lot's of good info in this HowTo:
    http://www.howtoforge.com/ssh-best-practices
     
  9. bswinnerton

    bswinnerton New Member

    This is aimed at this response:

    How do I remove it from iptables?
     
  10. wpwood3

    wpwood3 New Member

    Here's the way I would do it:

    1) Create a new file named post-rule-setup.sh

    2) Put the following in that file:
    iptables -I INPUT -s 216.55.165.26 -j DROP

    3) Place the file in this new folder:
    /etc/Bastille/firewall.d/

    4) Restart the Bastille firewall to activate the rule:
    /etc/init.d/bastille-firewall restart

    To remove the rule is simple:
    1) Delete post-rule-setup.sh or remove the rule from that file

    2) Restart the Bastille firewall:
    /etc/init.d/bastille-firewall restart

    You can add as many rules as you want into post-rule-setup.sh just be sure to put each rule on it's own line.

    Run iptables -L to see your new rule(s) running in iptables or to confirm that it has been removed.

    The benefit of doing it like this is that your rules will remain in effect even if the system is rebooted or Bastille is restarted.
     
  11. Bvdwiel

    Bvdwiel New Member

    I use sshguard happily on my FreeBSD box at home. It's also available for Linux/iptables. It blacklists IP's automatically after a set number of failures to login. You can adjust how many failures within how many seconds it should take before the ip gets blocked and for how long the ip should remain blocked. Works like a charm here!
     
  12. bswinnerton

    bswinnerton New Member

    Right now i'm using fail2ban and like it so far however I just noticed something kind of odd in the logs and this could be completely normal but would a second set of eyes.

    So in my auth.log This happened:

    Code:
    Feb 13 03:11:40 cw-webserver sshd[3833]: Server listening on :: port 22.
    Feb 13 03:11:40 cw-webserver sshd[3833]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
    Feb 13 03:11:45 cw-webserver saslauthd[4162]: detach_tty      : master pid is: 4162
    Feb 13 03:11:45 cw-webserver saslauthd[4162]: ipc_init        : listening on socket: /var/spool/postfix/var/run/saslauthd/mux
    
    and then in the fail2ban.log was this:

    Code:
    2008-02-13 03:11:48,093 fail2ban.jail   : INFO   Using poller
    2008-02-13 03:11:48,158 fail2ban.filter : INFO   Created Filter
    2008-02-13 03:11:48,158 fail2ban.filter : INFO   Created FilterPoll
    2008-02-13 03:11:48,159 fail2ban.filter : INFO   Added logfile = /var/log/auth.log
    2008-02-13 03:11:48,160 fail2ban.filter : INFO   Set maxRetry = 6
    2008-02-13 03:11:48,165 fail2ban.filter : INFO   Set findtime = 600
    2008-02-13 03:11:48,166 fail2ban.actions: INFO   Set banTime = 600
    2008-02-13 03:11:48,182 fail2ban.actions.action: INFO   Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
    2008-02-13 03:11:48,183 fail2ban.actions.action: INFO   Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
    iptables -F fail2ban-<name>
    iptables -X fail2ban-<name>
    2008-02-13 03:11:48,184 fail2ban.actions.action: INFO   Set actionStart = iptables -N fail2ban-<name>
    iptables -A fail2ban-<name> -j RETURN
    iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
    2008-02-13 03:11:48,185 fail2ban.actions.action: INFO   Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP
    2008-02-13 03:11:48,186 fail2ban.actions.action: INFO   Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name>
    
    The only reason I thought that this was odd was because they were so close in time together
     
  13. falko

    falko Super Moderator ISPConfig Developer

    I'm not sure what's causing this. Is SSH running?
     
  14. bswinnerton

    bswinnerton New Member

    Yes it is, I use it almost every day.
     

Share This Page