LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-24-2014, 12:14 PM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 687

Rep: Reputation: Disabled
Automatically block "banned" IPs


I've had thousands of attempted breakins from a couple of IPs. When I investigate the IP, I see they are definitely on the naughty list.

It looks like I can block them using:

Code:
/sbin/iptables -A INPUT -s BAN-IP-ADDRESS -j DROP
/sbin/iptables -A INPUT -s BAN-IP-ADDRESS/MASK -j DROP
PS. What is the "MASK" part all about?


Yes, I know if my server is perfectly configured, I probably don't have anything to worry about. Try as I might, I am concerned that maybe I didn't do something perfect.

PS. Is there an online service that I can have interrogate my IP and look for holes?


So, instead of waiting for thousands of attempted breakins, am I able to subscribe to some service which automatically adds IPs that have been previously known to be malicious? I am not worried about accidentally blocking good guys as the server is only accessed by me (I don't wish to whitelist as I often access the server remotely from different IPs).

Thank you
 
Old 10-24-2014, 12:34 PM   #2
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,453

Rep: Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051
While I don't know of any global list you could use, have you looked into denyhosts? It monitors your /var/log/messages or /var/log/secure log files for failed access attempts and adds them to hosts.deny automatically. You can configure it to be a permanent ban, a temporary ban that lasts for N days, you can configure the number of failed attempts in a given amount of time for the IP to be banned, and it can treat root login attempts and user login attempts differently as well.

I run it on my home server, and over the last ~3 months (since I re-installed the OS) it's already added over 300 IPs to the ban list. I'll paste them below if you're interested.

One of the nice things about how it works is that if it adds an IP by mistake, all you have to do is put that IP in hosts.allow to whitelist it.

Code:
ALL: 112.96.28.187
ALL: 62.109.29.246
ALL: 222.191.249.132
ALL: 69.22.167.61
ALL: 61.142.106.34
ALL: 61.55.156.196
ALL: 95.84.174.97
ALL: 79.165.2.178
ALL: 192.99.143.239
ALL: 61.174.49.105
ALL: 192.99.143.232
ALL: 177.228.152.66
ALL: 63.233.93.166
ALL: 212.83.150.195
ALL: 177.39.121.236
ALL: 50.199.193.81
ALL: 188.32.82.237
ALL: 37.204.101.34
ALL: 188.255.50.77
ALL: 37.204.61.0
ALL: 166.148.191.64
ALL: 124.82.150.45
ALL: 176.51.67.232
ALL: 218.200.11.142
ALL: 46.48.125.158
ALL: 82.221.109.194
ALL: 176.51.66.192
ALL: 212.164.133.245
ALL: 37.110.119.188
ALL: 196.218.10.178
ALL: 188.255.21.230
ALL: 37.204.116.250
ALL: 172.250.135.221
ALL: 37.110.84.204
ALL: 23.24.28.219
ALL: 5.228.97.53
ALL: 50.246.137.93
ALL: 75.151.143.45
ALL: 24.74.34.145
ALL: 92.255.255.237
ALL: 67.60.234.250
ALL: 37.204.215.254
ALL: 189.193.101.63
ALL: 37.110.29.128
ALL: 64.250.239.62
ALL: 178.140.98.46
ALL: 173.210.37.154
ALL: 209.152.112.32
ALL: 92.127.234.227
ALL: 5.228.225.226
ALL: 173.252.131.5
ALL: 103.11.117.122
ALL: 5.228.221.129
ALL: 63.96.63.234
ALL: 63.147.221.214
ALL: 37.110.131.26
ALL: 87.245.176.250
ALL: 37.204.192.194
ALL: 100.34.40.26
ALL: 188.32.178.204
ALL: 5.228.90.25
ALL: 94.231.125.77
ALL: 218.111.245.17
ALL: 199.217.113.211
ALL: 94.102.63.27
ALL: 61.234.104.167
ALL: 202.146.213.7
ALL: 76.92.216.75
ALL: 77.245.77.230
ALL: 144.0.0.34
ALL: 27.126.156.2
ALL: 144.0.0.21
ALL: 212.115.255.26
ALL: 120.83.3.88
ALL: 128.6.226.98
ALL: 117.79.91.244
ALL: 67.209.226.3
ALL: 212.129.12.75
ALL: 61.147.80.27
ALL: 61.178.136.194
ALL: 203.110.169.43
ALL: 187.63.226.82
ALL: 75.146.233.17
ALL: 108.166.172.133
ALL: 82.221.106.233
ALL: 222.255.174.28
ALL: 114.251.203.101
ALL: 144.0.0.27
ALL: 200.75.106.70
ALL: 5.39.222.144
ALL: 191.234.138.29
ALL: 218.59.209.136
ALL: 202.202.113.159
ALL: 61.167.49.132
ALL: 61.167.49.139
ALL: 58.241.61.162
ALL: 61.167.49.140
ALL: 42.62.17.250
ALL: 101.251.238.61
ALL: 106.185.38.178
ALL: 122.228.207.244
ALL: 61.167.49.141
ALL: 222.163.192.151
ALL: 216.53.210.153
ALL: 122.226.95.158
ALL: 31.199.3.187
ALL: 222.198.125.161
ALL: 61.167.49.144
ALL: 113.17.171.80
ALL: 23.102.172.42
ALL: 219.138.135.70
ALL: 198.1.132.2
ALL: 113.107.233.142
ALL: 61.133.211.118
ALL: 61.167.49.137
ALL: 144.0.0.24
ALL: 211.143.11.123
ALL: 103.255.147.18
ALL: 222.163.192.163
ALL: 115.115.79.152
ALL: 107.170.34.210
ALL: 61.153.104.130
ALL: 61.167.49.143
ALL: 98.126.171.154
ALL: 193.107.17.72
ALL: 222.186.21.38
ALL: 125.65.245.146
ALL: 139.0.12.151
ALL: 61.153.110.181
ALL: 104.131.196.219
ALL: 61.174.51.221
ALL: 222.255.174.14
ALL: 119.147.251.150
ALL: 61.174.51.213
ALL: 27.131.209.164
ALL: 116.10.191.231
ALL: 122.70.133.245
ALL: 64.76.58.153
ALL: 122.225.109.98
ALL: 61.234.146.22
ALL: 162.209.124.231
ALL: 116.10.191.165
ALL: 116.10.191.170
ALL: 60.173.9.39
ALL: 122.225.109.113
ALL: 116.10.191.183
ALL: 219.138.135.63
ALL: 61.167.49.142
ALL: 94.236.193.244
ALL: 116.10.191.173
ALL: 116.10.191.180
ALL: 116.10.191.175
ALL: 116.10.191.167
ALL: 116.10.191.182
ALL: 162.105.13.159
ALL: 213.243.56.252
ALL: 68.68.2.206
ALL: 119.15.156.221
ALL: 116.10.191.179
ALL: 61.143.236.193
ALL: 68.178.154.216
ALL: 116.10.191.186
ALL: 144.0.0.33
ALL: 116.10.191.171
ALL: 1.93.26.15
ALL: 68.68.9.247
ALL: 70.38.11.200
ALL: 65.126.16.92
ALL: 219.138.135.64
ALL: 81.169.231.223
ALL: 106.187.34.181
ALL: 116.10.191.163
ALL: 61.152.108.18
ALL: 166.111.35.136
ALL: 216.246.53.241
ALL: 144.0.0.62
ALL: 116.10.191.169
ALL: 162.144.106.241
ALL: 192.3.160.77
ALL: 46.31.162.154
ALL: 116.10.191.236
ALL: 123.111.128.211
ALL: 104.128.186.139
ALL: 175.22.14.71
ALL: 144.0.0.65
ALL: 222.186.25.36
ALL: 210.70.143.1
ALL: 219.138.135.56
ALL: 1.93.25.234
ALL: 60.190.71.52
ALL: 65.181.118.16
ALL: 64.191.136.155
ALL: 183.136.214.247
ALL: 113.247.227.28
ALL: 46.21.206.166
ALL: 144.0.0.25
ALL: 46.21.205.66
ALL: 64.212.77.14
ALL: 189.203.240.90
ALL: 210.66.73.143
ALL: 144.0.0.44
ALL: 202.104.122.81
ALL: 182.18.166.137
ALL: 222.163.192.148
ALL: 59.173.18.45
ALL: 212.7.212.23
ALL: 211.154.213.117
ALL: 61.147.80.6
ALL: 192.69.94.98
ALL: 62.109.29.157
ALL: 144.76.47.114
ALL: 100.4.166.152
ALL: 187.189.129.94
ALL: 61.153.96.2
ALL: 200.186.145.218
ALL: 75.148.216.82
ALL: 61.144.43.235
ALL: 123.127.36.162
ALL: 189.14.233.2
ALL: 124.90.231.248
ALL: 66.147.241.105
ALL: 49.156.19.68
ALL: 122.228.207.76
ALL: 144.0.0.49
ALL: 96.119.0.246
ALL: 115.115.70.67
ALL: 222.186.52.3
ALL: 221.131.71.123
ALL: 144.0.0.70
ALL: 146.148.46.1
ALL: 58.18.172.171
ALL: 5.45.74.4
ALL: 144.0.0.48
ALL: 193.107.16.206
ALL: 61.138.14.202
ALL: 219.138.135.60
ALL: 202.129.16.27
ALL: 97.89.236.38
ALL: 222.122.30.51
ALL: 119.147.214.35
ALL: 61.174.50.225
ALL: 61.182.170.38
ALL: 122.225.109.124
ALL: 91.240.163.39
ALL: 60.211.213.66
ALL: 61.174.50.172
ALL: 133.242.235.89
ALL: 218.2.0.132
ALL: 198.71.58.200
ALL: 61.174.50.244
ALL: 211.138.30.174
ALL: 113.200.114.230
ALL: 123.24.207.181
ALL: 218.106.254.121
ALL: 117.27.158.78
ALL: 122.225.103.74
ALL: 103.248.81.70
ALL: 222.219.187.9
ALL: 144.0.0.23
ALL: 117.27.158.72
ALL: 218.2.0.133
ALL: 171.92.208.28
ALL: 61.174.50.229
ALL: 117.27.158.89
ALL: 218.2.0.123
ALL: 129.121.177.191
ALL: 117.27.158.91
ALL: 8.27.190.14
ALL: 122.225.103.73
ALL: 117.27.249.29
ALL: 122.225.109.121
ALL: 210.245.88.32
ALL: 209.239.114.179
ALL: 61.174.50.251
ALL: 218.2.0.126
ALL: 114.4.68.100
ALL: 115.47.60.17
ALL: 218.2.0.127
ALL: 177.96.217.46
ALL: 190.115.3.2
ALL: 61.166.189.69
ALL: 218.2.0.130
ALL: 212.83.182.76
ALL: 113.200.188.55
ALL: 61.183.1.8
ALL: 122.225.109.126
ALL: 222.186.58.205
ALL: 61.174.50.249
ALL: 95.85.31.132
ALL: 195.154.77.176
ALL: 184.171.240.227
ALL: 194.84.36.79
ALL: 212.129.11.254
ALL: 89.248.168.64
ALL: 95.163.73.179
ALL: 222.187.220.246
ALL: 177.86.34.12
ALL: 94.19.131.118
ALL: 187.174.116.250
ALL: 123.57.16.1
ALL: 122.193.91.124
ALL: 69.56.221.26
ALL: 62.210.140.164
ALL: 190.123.197.151
ALL: 5.255.86.28
ALL: 72.9.100.130
ALL: 1.93.32.251
ALL: 203.147.88.202
ALL: 213.186.120.4
ALL: 77.245.151.225
ALL: 221.6.233.62
ALL: 58.120.96.236
ALL: 218.155.67.124
ALL: 192.126.120.7
ALL: 162.221.227.101
ALL: 209.126.106.212
ALL: 195.190.82.96
ALL: 109.163.239.207
ALL: 212.129.12.74
ALL: 222.77.96.144
ALL: 196.200.169.50
ALL: 111.68.20.201
ALL: 212.129.49.63
ALL: 31.193.192.222
ALL: 115.146.122.183
ALL: 124.95.165.186
ALL: 93.174.95.41
ALL: 80.82.64.177
ALL: 183.61.183.115
ALL: 61.147.81.213
ALL: 123.57.28.1
ALL: 182.71.107.198
ALL: 192.126.120.74
ALL: 5.231.208.243
ALL: 210.64.103.27
ALL: 113.107.233.165
ALL: 212.176.237.194
ALL: 199.180.115.87
ALL: 182.163.225.55
ALL: 1.93.32.234
Every once in a while I'll get bored and start investigating some of them. So far they all seem to be from Russia or China. Probably some 13 year old idiot wannabe "hackers" running a pre-canned script to try and brute-force root access via ssh.

Last edited by suicidaleggroll; 10-24-2014 at 12:41 PM.
 
Old 10-24-2014, 01:01 PM   #3
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,159

Rep: Reputation: 334Reputation: 334Reputation: 334Reputation: 334
I do this with a script I wrote, probably over a decade ago.

Here's a link to one place here on LQ.org where I mentioned the script (back in 2006) and posted the detailed code:

http://www.linuxquestions.org/questi...6/#post2290296
 
Old 10-24-2014, 01:41 PM   #4
Habitual
LQ Addict
 
Registered: Jan 2011
Posts: 8,239
Blog Entries: 11

Rep: Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287Reputation: 2287
Quote:
Originally Posted by NotionCommotion View Post
So, instead of waiting for thousands of attempted breakins...
fail2ban out of the box inhibits these abuses.
 
Old 10-24-2014, 03:04 PM   #5
jefro
Moderator
 
Registered: Mar 2008
Posts: 16,350

Rep: Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376Reputation: 2376
mask = subnet mask? Pretty sure maybe, think so.
 
Old 10-24-2014, 03:44 PM   #6
propofol
Member
 
Registered: Nov 2007
Location: Seattle
Distribution: Debian Wheezy & Jessie; Ubuntu
Posts: 331

Rep: Reputation: 59
I also found denyhosts very useful. One additional measure is to use a non standard port for ssh. You could just forward a different port (say 1234) on your router to port 22 on the PC. This makes /etc/hosts.deny a bit shorter.
 
Old 10-24-2014, 03:51 PM   #7
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 687

Original Poster
Rep: Reputation: Disabled
Thanks all,

Looks like denyhosts just protects again ssh (which is probably most important) while fail2ban is more wide reaching (and probably more complicated). Still undecided on which one to use. Thoughts?

In regards to "mask", the example I posted come from http://www.cyberciti.biz/faq/linux-h...inst-iptables/
 
Old 10-24-2014, 04:14 PM   #8
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,453

Rep: Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051Reputation: 2051
Quote:
Originally Posted by NotionCommotion View Post
Looks like denyhosts just protects again ssh
Well yes and no. It only triggers on failed ssh attempts, but once the IP is added to hosts.deny it will be blocked for all services.
 
Old 10-24-2014, 04:54 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Quote:
Originally Posted by suicidaleggroll View Post
once the IP is added to hosts.deny it will be blocked for all services.
...note this only works for services that are compiled with libwrap. Also see this and this.


Quote:
Originally Posted by NotionCommotion View Post
fail2ban is more wide reaching (and probably more complicated).
That's a misconception. Fail2ban comes with default filters for over 60 services, works with minimal configuration, works at the network level and can use ipset (meaning you only need one iptables rule!).
 
Old 10-24-2014, 05:11 PM   #10
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 687

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
That's a misconception.
I take this to mean you recommend I strongly consider Fail2ban. Thank you
 
Old 10-24-2014, 06:59 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Well it's in not difficult to use.
 
Old 10-24-2014, 07:12 PM   #12
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 687

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Well it's in not difficult to use.
Okay.

But would you recommend it for an amateur server guy who has a linux server for web development purposes only which is located on his LAN along with his family's various apple/windows/tv clients?
 
Old 10-24-2014, 07:34 PM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,353
Blog Entries: 55

Rep: Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541Reputation: 3541
Sure. Just check which services you expose to the outside world (asserting your LAN clients are all wellbehaved netizens).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Automatically Updating Banned IPs With hosts.deny (or iptables) LXer Syndicated Linux News 0 03-20-2012 08:11 AM
LXer: Automatically Updating Banned IPs With hosts.deny (or iptables) LXer Syndicated Linux News 0 03-20-2012 12:41 AM
vsftpd block ips automatically ceantuco Linux - Newbie 2 06-14-2011 11:12 AM
fsck.ext3 keeps fails with "Error reading block" short read at same block jpletka Linux - Server 2 06-10-2010 02:46 AM
Where to find a "nice" Howto" for modem setup and use for IPS usage xerxesii Linux - Hardware 2 03-27-2007 12:21 AM


All times are GMT -5. The time now is 10:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration