How to handle large numbers bruteforcers

PinoyAko · 12-17-2011, 03:52 AM

My login page is being bruteforced by a large number of IPs. What do you think is the best way to prevent this from happening?

EricTRA · 12-17-2011, 04:19 AM

Hello,

There are several ways. You could install and configure something like Fail2Ban which should do the trick. Until you've installed and configured some protection you could use this script I've found on the internet (don't remember where) which rejects connections from the same IP if the number of connections is greater then 10 (easy to adjust). I've changed that script to do a similar thing with SSH connections and recently put it in place on some production server that got attacked.

Code:

#! /bin/bash

while [ 1 ] ;
do
	for ip in `lsof -ni | grep httpd | grep -iv listen | awk '{print $8}' | cut -d : -f 2 | sort | uniq | sed s/"http->"//` ;
	# the line above gets the list of all connections and connection attempts, and produces a list of uniq IPs
	# and iterates through the list
	do
    		noconns=`lsof -ni | grep $ip | wc -l`;
    		# This finds how many connections there are from this particular IP address
    		echo $ip : $noconns ;
    		if [ "$noconns" -gt "10" ] ;
    		# if there are more than 10 connections established or connecting from this IP
    		then
			# echo More;
      			# echo `date` "$ip has $noconns connections.  Total connections to prod spider:  `lsof -ni | grep httpd | grep -iv listen | wc -l`" >>/var/log/Ddos/Ddos.log
      			# to keep track of the IPs uncomment the above two lines and make sure you can write to the appropriate place
      			iptables -I INPUT -s $ip -p tcp -j REJECT --reject-with tcp-reset
      			# for these connections, add an iptables statement to send resets on any packets recieved
    		else
        		# echo Less;
    		fi;
  	done
sleep 60
done

Hope it helps.

Kind regards,

Eric

PinoyAko · 12-17-2011, 05:14 AM

Hi,

Thanks for the bash script.

I only have one question what does "--reject-with tcp-reset" does? Isnt "-j REJECT" enough?

EricTRA · 12-17-2011, 05:20 AM

Hello,

You're welcome. From the man page of iptables:

Quote:

--reject-with type
The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited, icmp-host-prohibited or icmp-admin-prohibited (*) which return the appropriate ICMP error message (port-unreachable is the default). The option tcp-reset can be used on rules which only match the TCP protocol: this causes a TCP RST packet to be sent back. This is mainly useful for blocking ident (113/tcp) probes which frequently occur when sending mail to broken mail hosts (which won't accept your mail otherwise).

Some more information:
http://www.lowth.com/cutter/#mozTocId654024

Kind regards,

Eric

unSpawn · 12-17-2011, 08:18 AM

The script IMHO is a kludge. Not only because use of UNIX commands ('lsof -ni4tcp:80|awk '/\(L/ {print $8}';' being short for using lsof, grep, grep and awk) but because it is forced to reap the connection table per IP and when you're dealing with large amounts of connections that can't be good no matter /proc being a VFS. Rejecting connections from the same IP if the number of connections is greater then 10 can be accomplished with a single rule:

Code:

iptables -A INPUT -i eth0 -p tcp --syn --dport 80 -m connlimit --connlimit-above 10 -j DROP