LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-16-2008, 08:47 AM   #1
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Rep: Reputation: 30
Can I Ban Certain IPs or Subnets


Can I ban certain IPs or subnets from even trying to log on? I'm
running freebsd.

[EDIT: I guess a better question might be, what firewall am I running? I can't tell. none of the standard BSD firewalls seem to be installed here]

ALSO, can I limit the number of login attempts within a given time period for a particular account? I'm not going to miss type my password more than 3 or 4 times (let's say 15 or even 25, there's no way a bot will guess without, hundreds of thousands of tries anyway).

Details:

Some concerted login attacks have come from a few different IPs. Any advice? Are these things going to try to login everyday, or should I just ignore them because it will be different IPs every day.

Here's a summary:

221.174.32.213 tried a dictionary of login names including an attempt at root now and then.

67.202.28.221 made a concerted effort at logging in as root (good luck to it) consisting of 100 tries and 3 tries at toor at the end, then used a small list of user names much like the previous one.

Last edited by davidstvz; 08-16-2008 at 09:02 AM.
 
Old 08-16-2008, 09:40 AM   #2
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 234Reputation: 234Reputation: 234
I block all attempts except those from trusted sources. And yes, you can setup most *nix systems to fail and lock an account after so many attempts if they are a valid account.
 
Old 08-16-2008, 09:45 AM   #3
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by trickykid View Post
I block all attempts except those from trusted sources. And yes, you can setup most *nix systems to fail and lock an account after so many attempts if they are a valid account.
I don't necessarily want to lock the account, but after X failed remote login attempts, I'd love to ban the IP until further notice.
 
Old 08-16-2008, 09:48 AM   #4
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 234Reputation: 234Reputation: 234
Quote:
Originally Posted by davidstvz View Post
I don't necessarily want to lock the account, but after X failed remote login attempts, I'd love to ban the IP until further notice.
I once wrote a script I had run periodically that would setup a block by IP or source if it was an attempt to login as root, since it was disabled anyways and users knew this.

A script that checks the number of attempts and then blocking shouldn't be that hard. Do you know any shell scripting?
 
Old 08-16-2008, 09:48 AM   #5
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,517

Rep: Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039
You can add addresses to /etc/hosts.deny, something like this:
Code:
sshd: 60.191.0.46
sshd: 88.173.248.34
sshd: 210.188.206.228
and so on
You can also install DenyHosts (see http://denyhosts.sourceforge.net) which
Quote:
DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you've ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc...) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn't it be better to automatically prevent that attacker from continuing to gain entry into your system?
I have been using it for some years quite happily.

Hope this helps some.
 
Old 08-16-2008, 10:03 AM   #6
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by trickykid View Post
I once wrote a script I had run periodically that would setup a block by IP or source if it was an attempt to login as root, since it was disabled anyways and users knew this.

A script that checks the number of attempts and then blocking shouldn't be that hard. Do you know any shell scripting?
I'm have started to reverse engineer some shell scripts. I could probably figure something out in time if I knew what files to get the info from and which to edit.
 
Old 08-16-2008, 10:07 AM   #7
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by tronayne View Post
You can add addresses to /etc/hosts.deny, something like this:
Code:
sshd: 60.191.0.46
sshd: 88.173.248.34
sshd: 210.188.206.228
and so on
You can also install DenyHosts (see http://denyhosts.sourceforge.net) which

I have been using it for some years quite happily.

Hope this helps some.
Ah, hosts.deny. Actually, my system doesn't have this file. It has hosts.allow which starts out with:

ALL : ALL : allow

And than starts making exceptions from there. I should be able to figure this out from here.
 
Old 08-16-2008, 10:31 AM   #8
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,517

Rep: Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039Reputation: 1039
If it was me, leave /etc/hosts.allow in place (it usually has to exist) but delete that ALL line (it won't hurt anything, generally).

Create /etc/hosts.deny and put entries in it from your log file (the IP address of the jerks) as shown above.

You really want to take a look at DenyHosts -- thing runs as a daemon and does its magic automatically; a plus is that there is a world-wide index of bad guys from other DenyHosts installations that gets shared periodically (automatically unless you turn it off) so you pick up and reject bad actors that have tried to break into other systems before they try yours. Right now my hosts.deny file contains 4,117 entries (and, no, I do not do those by hand).

Hope this helps some.
 
Old 08-16-2008, 10:34 AM   #9
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by tronayne View Post
If it was me, leave /etc/hosts.allow in place (it usually has to exist) but delete that ALL line (it won't hurt anything, generally).

Create /etc/hosts.deny and put entries in it from your log file (the IP address of the jerks) as shown above.

You really want to take a look at DenyHosts -- thing runs as a daemon and does its magic automatically; a plus is that there is a world-wide index of bad guys from other DenyHosts installations that gets shared periodically (automatically unless you turn it off) so you pick up and reject bad actors that have tried to break into other systems before they try yours. Right now my hosts.deny file contains 4,117 entries (and, no, I do not do those by hand).

Hope this helps some.
I'll try that, thanks a lot!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Getting things straight: Apache, SSL, Multiple External IPs / Internal IPs robin.com.au Linux - Server 21 10-14-2007 12:39 AM
Best way to ban blocks of IPs? hank43 Linux - Security 4 02-23-2007 03:36 PM
Machines on different subnets / static IPs natv Linux - Networking 4 02-04-2007 03:34 PM
how to define a specific range of IPs and/or multiple IPs in an iptables rule?... TheHellsMaster Linux - Security 9 09-20-2004 11:06 AM
(Using Apache) How to IP ban? Onox Linux - Software 1 07-02-2003 06:05 PM


All times are GMT -5. The time now is 11:27 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration