LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Can I Ban Certain IPs or Subnets (https://www.linuxquestions.org/questions/linux-newbie-8/can-i-ban-certain-ips-or-subnets-663201/)

davidstvz 08-16-2008 07:47 AM

Can I Ban Certain IPs or Subnets
 
Can I ban certain IPs or subnets from even trying to log on? I'm
running freebsd.

[EDIT: I guess a better question might be, what firewall am I running? I can't tell. none of the standard BSD firewalls seem to be installed here]

ALSO, can I limit the number of login attempts within a given time period for a particular account? I'm not going to miss type my password more than 3 or 4 times (let's say 15 or even 25, there's no way a bot will guess without, hundreds of thousands of tries anyway).

Details:

Some concerted login attacks have come from a few different IPs. Any advice? Are these things going to try to login everyday, or should I just ignore them because it will be different IPs every day.

Here's a summary:

221.174.32.213 tried a dictionary of login names including an attempt at root now and then.

67.202.28.221 made a concerted effort at logging in as root (good luck to it) consisting of 100 tries and 3 tries at toor at the end, then used a small list of user names much like the previous one.

trickykid 08-16-2008 08:40 AM

I block all attempts except those from trusted sources. And yes, you can setup most *nix systems to fail and lock an account after so many attempts if they are a valid account.

davidstvz 08-16-2008 08:45 AM

Quote:

Originally Posted by trickykid (Post 3249618)
I block all attempts except those from trusted sources. And yes, you can setup most *nix systems to fail and lock an account after so many attempts if they are a valid account.

I don't necessarily want to lock the account, but after X failed remote login attempts, I'd love to ban the IP until further notice.

trickykid 08-16-2008 08:48 AM

Quote:

Originally Posted by davidstvz (Post 3249622)
I don't necessarily want to lock the account, but after X failed remote login attempts, I'd love to ban the IP until further notice.

I once wrote a script I had run periodically that would setup a block by IP or source if it was an attempt to login as root, since it was disabled anyways and users knew this.

A script that checks the number of attempts and then blocking shouldn't be that hard. Do you know any shell scripting?

tronayne 08-16-2008 08:48 AM

You can add addresses to /etc/hosts.deny, something like this:
Code:

sshd: 60.191.0.46
sshd: 88.173.248.34
sshd: 210.188.206.228
and so on

You can also install DenyHosts (see http://denyhosts.sourceforge.net) which
Quote:

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
I have been using it for some years quite happily.

Hope this helps some.

davidstvz 08-16-2008 09:03 AM

Quote:

Originally Posted by trickykid (Post 3249624)
I once wrote a script I had run periodically that would setup a block by IP or source if it was an attempt to login as root, since it was disabled anyways and users knew this.

A script that checks the number of attempts and then blocking shouldn't be that hard. Do you know any shell scripting?

I'm have started to reverse engineer some shell scripts. I could probably figure something out in time if I knew what files to get the info from and which to edit.

davidstvz 08-16-2008 09:07 AM

Quote:

Originally Posted by tronayne (Post 3249625)
You can add addresses to /etc/hosts.deny, something like this:
Code:

sshd: 60.191.0.46
sshd: 88.173.248.34
sshd: 210.188.206.228
and so on

You can also install DenyHosts (see http://denyhosts.sourceforge.net) which

I have been using it for some years quite happily.

Hope this helps some.

Ah, hosts.deny. Actually, my system doesn't have this file. It has hosts.allow which starts out with:

ALL : ALL : allow

And than starts making exceptions from there. I should be able to figure this out from here.

tronayne 08-16-2008 09:31 AM

If it was me, leave /etc/hosts.allow in place (it usually has to exist) but delete that ALL line (it won't hurt anything, generally).

Create /etc/hosts.deny and put entries in it from your log file (the IP address of the jerks) as shown above.

You really want to take a look at DenyHosts -- thing runs as a daemon and does its magic automatically; a plus is that there is a world-wide index of bad guys from other DenyHosts installations that gets shared periodically (automatically unless you turn it off) so you pick up and reject bad actors that have tried to break into other systems before they try yours. Right now my hosts.deny file contains 4,117 entries (and, no, I do not do those by hand).

Hope this helps some.

davidstvz 08-16-2008 09:34 AM

Quote:

Originally Posted by tronayne (Post 3249655)
If it was me, leave /etc/hosts.allow in place (it usually has to exist) but delete that ALL line (it won't hurt anything, generally).

Create /etc/hosts.deny and put entries in it from your log file (the IP address of the jerks) as shown above.

You really want to take a look at DenyHosts -- thing runs as a daemon and does its magic automatically; a plus is that there is a world-wide index of bad guys from other DenyHosts installations that gets shared periodically (automatically unless you turn it off) so you pick up and reject bad actors that have tried to break into other systems before they try yours. Right now my hosts.deny file contains 4,117 entries (and, no, I do not do those by hand).

Hope this helps some.

I'll try that, thanks a lot!


All times are GMT -5. The time now is 12:56 PM.