LinuxQuestions.org - How to handle large numbers bruteforcers

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - How to handle large numbers bruteforcers (https://www.linuxquestions.org/questions/linux-security-4/how-to-handle-large-numbers-bruteforcers-919169/)

How to handle large numbers bruteforcers

My login page is being bruteforced by a large number of IPs. What do you think is the best way to prevent this from happening?

Hello,

There are several ways. You could install and configure something like Fail2Ban which should do the trick. Until you've installed and configured some protection you could use this script I've found on the internet (don't remember where) which rejects connections from the same IP if the number of connections is greater then 10 (easy to adjust). I've changed that script to do a similar thing with SSH connections and recently put it in place on some production server that got attacked.

Code:

#! /bin/bash



while [ 1 ] ;

do

        for ip in `lsof -ni | grep httpd | grep -iv listen | awk '{print $8}' | cut -d : -f 2 | sort | uniq | sed s/"http->"//` ;

        # the line above gets the list of all connections and connection attempts, and produces a list of uniq IPs

        # and iterates through the list

        do

                    noconns=`lsof -ni | grep $ip | wc -l`;

                    # This finds how many connections there are from this particular IP address

                    echo $ip : $noconns ;

                    if [ "$noconns" -gt "10" ] ;

                    # if there are more than 10 connections established or connecting from this IP

                    then

                        # echo More;

                              # echo `date` "$ip has $noconns connections.  Total connections to prod spider:  `lsof -ni | grep httpd | grep -iv listen | wc -l`" >>/var/log/Ddos/Ddos.log

                              # to keep track of the IPs uncomment the above two lines and make sure you can write to the appropriate place

                              iptables -I INPUT -s $ip -p tcp -j REJECT --reject-with tcp-reset

                              # for these connections, add an iptables statement to send resets on any packets recieved

                    else

                        # echo Less;

                    fi;

          done

sleep 60

done

Hope it helps.

Kind regards,

Eric

Hi,

Thanks for the bash script.

I only have one question what does "--reject-with tcp-reset" does? Isnt "-j REJECT" enough?

Hello,

You're welcome. From the man page of iptables:

Quote:

--reject-with type
The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or icmp-admin-prohibited (*) which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise).

Some more information:
http://www.lowth.com/cutter/#mozTocId654024

Kind regards,

Eric

The script IMHO is a kludge. Not only because use of UNIX commands ('lsof -ni4tcp:80|awk '/\(L/ {print $8}';' being short for using lsof, grep, grep and awk) but because it is forced to reap the connection table per IP and when you're dealing with large amounts of connections that can't be good no matter /proc being a VFS. Rejecting connections from the same IP if the number of connections is greater then 10 can be accomplished with a single rule:

Code:

iptables -A INPUT -i eth0 -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j DROP