LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-17-2011, 03:52 AM   #1
PinoyAko
LQ Newbie
 
Registered: May 2011
Posts: 28

Rep: Reputation: 0
How to handle large numbers bruteforcers


My login page is being bruteforced by a large number of IPs. What do you think is the best way to prevent this from happening?
 
Old 12-17-2011, 04:19 AM   #2
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hello,

There are several ways. You could install and configure something like Fail2Ban which should do the trick. Until you've installed and configured some protection you could use this script I've found on the internet (don't remember where) which rejects connections from the same IP if the number of connections is greater then 10 (easy to adjust). I've changed that script to do a similar thing with SSH connections and recently put it in place on some production server that got attacked.
Code:
#! /bin/bash

while [ 1 ] ;
do
	for ip in `lsof -ni | grep httpd | grep -iv listen | awk '{print $8}' | cut -d : -f 2 | sort | uniq | sed s/"http->"//` ;
	# the line above gets the list of all connections and connection attempts, and produces a list of uniq IPs
	# and iterates through the list
	do
    		noconns=`lsof -ni | grep $ip | wc -l`;
    		# This finds how many connections there are from this particular IP address
    		echo $ip : $noconns ;
    		if [ "$noconns" -gt "10" ] ;
    		# if there are more than 10 connections established or connecting from this IP
    		then
			# echo More;
      			# echo `date` "$ip has $noconns connections.  Total connections to prod spider:  `lsof -ni | grep httpd | grep -iv listen | wc -l`" >>/var/log/Ddos/Ddos.log
      			# to keep track of the IPs uncomment the above two lines and make sure you can write to the appropriate place
      			iptables -I INPUT -s $ip -p tcp -j REJECT --reject-with tcp-reset
      			# for these connections, add an iptables statement to send resets on any packets recieved
    		else
        		# echo Less;
    		fi;
  	done
sleep 60
done
Hope it helps.

Kind regards,

Eric
 
1 members found this post helpful.
Old 12-17-2011, 05:14 AM   #3
PinoyAko
LQ Newbie
 
Registered: May 2011
Posts: 28

Original Poster
Rep: Reputation: 0
Hi,

Thanks for the bash script.

I only have one question what does "--reject-with tcp-reset" does? Isnt "-j REJECT" enough?
 
Old 12-17-2011, 05:20 AM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hello,

You're welcome. From the man page of iptables:
Quote:
--reject-with type
The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or icmp-admin-prohibited (*) which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise).
Some more information:
http://www.lowth.com/cutter/#mozTocId654024

Kind regards,

Eric

Last edited by EricTRA; 12-17-2011 at 05:24 AM. Reason: Useful link added
 
1 members found this post helpful.
Old 12-17-2011, 08:18 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,304
Blog Entries: 54

Rep: Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856Reputation: 2856
The script IMHO is a kludge. Not only because use of UNIX commands ('lsof -ni4tcp:80|awk '/\(L/ {print $8}';' being short for using lsof, grep, grep and awk) but because it is forced to reap the connection table per IP and when you're dealing with large amounts of connections that can't be good no matter /proc being a VFS. Rejecting connections from the same IP if the number of connections is greater then 10 can be accomplished with a single rule:
Code:
iptables -A INPUT -i eth0 -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j DROP
 
5 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rsync can't handle large files??? deweirdt Linux - Server 19 02-28-2012 02:35 PM
vmstat large numbers under cpu id column ginda Linux - Server 1 07-21-2009 10:13 PM
Copying large numbers of files dman65 Linux - General 8 02-26-2009 07:32 PM
how to use bc to handle numbers in scientific/exponential notation? zero79 Linux - General 3 09-14-2008 10:36 PM
Best way to organize large numbers of files. dman65 Linux - General 4 03-12-2008 07:42 PM


All times are GMT -5. The time now is 03:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration