How to block/ban connection attempts by hostname permanently?

Discussion in 'Tips/Tricks/Mods' started by AceLine, Feb 20, 2017.

  1. AceLine

    AceLine New Member

    Hi Forumianers, hi Till, hi Falco,

    one essential question about securing my ISPConfig servers is, am I able to and how can I block any connection attemts by blocking or banning a whole domainname including all hosts (in subdomains)?
    I was searching the web for a copple of hours now and ONLY found information about blocking / banning / null routing IP addresses but nothing about domainnames and hostnames (maybe directly in IPTABLES, but I´m not that well practiced, I don´t know how or if it has an effect on a well configured ISPConfig and at least it is not very comfortable to do).

    Particularly I´m facing the following problem:
    For a long time my email warn protocol is full of lines like this...
    Code:
    Feb 20 08:47:43 ns4 postfix/smtpd[4571]: warning: hostname dedic878.hidehost.net does not resolve to address 91.200.12.174: Name or service not known
    Feb 20 08:47:46 ns4 postfix/smtpd[4571]: warning: unknown[91.200.12.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Feb 20 08:50:16 ns4 postfix/smtpd[4724]: warning: hostname dedic865.hidehost.net does not resolve to address 91.200.12.159: Name or service not known
    Feb 20 08:50:19 ns4 postfix/smtpd[4724]: warning: unknown[91.200.12.159]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    Feb 20 08:50:55 ns4 postfix/smtpd[4724]: warning: hostname dedic865.hidehost.net does not resolve to address 91.200.12.101: Name or service not known
    Feb 20 08:50:57 ns4 postfix/smtpd[4724]: warning: unknown[91.200.12.101]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
    
    1. It would be good to free my log files of this thousands of lines with the same domain (only different hostname in subdomain) to get a better overview of other important informations

    2. There are dozens of HACKER AND SPAMER FRIENDLY services like hidehost.net - so it would be nice not only to ban each attempt for some minutes (in fact, the hacker or spamer script on the dark side will not be very impressed by this diplomatically very polite restriction (typically european)), but to ban all connection attempts by this domain permantently as I´m not really in expectation of any kind of usefull information (Email or whatever) by people using this services

    Please give me a hint on how I can get rid of this problem. Maybe I only was searching by wrong search terms...

    Thanx in advance for your ideas.

    Best regards,

    Ingmar
     
  2. sjau

    sjau Local Meanie Moderator

    Probably best to use fail2ban. Also you can adjust the bantime in the fail2ban configs to a longer period. I currently have it at 6 months.

    To manually add something:
    Code:
    iptables -I INPUT 1 -s aaa.bbb.ccc.ddd -j DROP
    
    But after a reboot you'll have to re-add it. That's why I prefer fail2ban.
     
  3. Jesse Norell

    Jesse Norell Well-Known Member

    No, not with just iptables. Iptables rules only match an ip address. You can add iptables rules for a hostname, but the dns lookup is done one time when the rule is added, and a rule for the resulting ip address(es) is added. You cannot add a rule for a hostname which cannot be looked up in DNS at the time it's added, so of course you cannot add rules for "all subdomains" because you don't know what those hostnames are.

    Adding rules by dns name is generally a bad idea anyways; see eg. http://serverfault.com/questions/508691/making-iptables-easier-to-maintain for why it is problematic.

    So what do you do? I'd look at a combination of blocking in specific services like postfix and apache which can perform dns for new connections and reject accordingly. Combine that with some fail2ban rules which monitor the log files to catch entries that match those and you get a reasonably functional (though far from perfect) version of what you were wanting.
     
  4. concept21

    concept21 Member

    ConfigServer Security & Firewall

    Install this. It has a Login Fail Daemon. You can tune it to block any address which fails login after several times. :D
     

    Attached Files:

    • lfd.PNG
      lfd.PNG
      File size:
      12.9 KB
      Views:
      72
  5. concept21

    concept21 Member

    fail2ban also works very well :D
     

    Attached Files:

Share This Page