Is it possible to block an IP address after x amount of login failures?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is it possible to block an IP address after x amount of login failures?
As per subject, I'm lookinmg to find a way of blocking IP addresses automatically, temporarily or otherwise after so many failed login attempts.
I guess I'd want this to cover ssh, http, pop
My messages log is filled with:
Apr 9 08:45:22 morpheus sshd[8845]: Failed password for invalid user oracle from 119.82.75.221 port 48998 ssh2
Apr 9 08:45:30 morpheus sshd[8847]: Invalid user test from 119.82.75.221
Apr 9 08:45:30 morpheus sshd[8847]: Failed password for invalid user test from 119.82.75.221 port 49193 ssh2
Apr 9 08:46:51 morpheus popa3d[8851]: Authentication passed for plisken
Apr 9 08:46:53 morpheus popa3d[8851]: 12426 messages (148807652 bytes) loaded
Apr 9 08:47:06 morpheus popa3d[8851]: 0 (0) deleted, 12426 (148807652) left
Apr 9 08:59:20 morpheus popa3d[8920]: Authentication passed for maggie
Apr 9 08:59:20 morpheus popa3d[8920]: 5 messages (289465 bytes) loaded
Apr 9 08:59:20 morpheus popa3d[8920]: 0 (0) deleted, 5 (289465) left
Apr 9 09:16:19 morpheus -- MARK --
Apr 9 09:26:41 morpheus sshd[9016]: Failed password for root from 119.82.75.221 port 56424 ssh2
Apr 9 09:26:44 morpheus sshd[9018]: Failed password for root from 119.82.75.221 port 56575 ssh2
Apr 9 09:26:47 morpheus sshd[9020]: Failed password for root from 119.82.75.221 port 56733 ssh2
Apr 9 09:26:50 morpheus sshd[9022]: Failed password for root from 119.82.75.221 port 56894 ssh2
Apr 9 09:26:52 morpheus sshd[9024]: Failed password for root from 119.82.75.221 port 57089 ssh2
Apr 9 09:26:56 morpheus sshd[9026]: Failed password for root from 119.82.75.221 port 57197 ssh2
Apr 9 09:27:03 morpheus sshd[9028]: Failed password for root from 119.82.75.221 port 57423 ssh2
Apr 9 09:27:06 morpheus sshd[9030]: Failed password for root from 119.82.75.221 port 57857 ssh2
Apr 9 09:27:09 morpheus sshd[9032]: Failed password for root from 119.82.75.221 port 58071 ssh2
Apr 9 09:27:16 morpheus sshd[9034]: Failed password for root from 119.82.75.221 port 58222 ssh2
Apr 9 09:27:20 morpheus sshd[9036]: Failed password for root from 119.82.75.221 port 58653 ssh2
Apr 9 09:27:23 morpheus sshd[9038]: Failed password for root from 119.82.75.221 port 58920 ssh2
Apr 9 09:27:25 morpheus sshd[9040]: Failed password for root from 119.82.75.221 port 59069 ssh2
Apr 9 09:27:27 morpheus sshd[9042]: Invalid user oracle from 119.82.75.221
Apr 9 09:27:27 morpheus sshd[9042]: Failed password for invalid user oracle from 119.82.75.221 port 59203 ssh2
Apr 9 09:27:29 morpheus sshd[9044]: Invalid user test from 119.82.75.221
Apr 9 09:27:29 morpheus sshd[9044]: Failed password for invalid user test from 119.82.75.221 port 59342 ssh2
In the past, I manually added IP addresses to the /etc/hosts.deny file.
I'm guessing I could search the log files for a specific string and then add the IP address to this file. something tells me I tried this method years ago without much sucess though.
I too recommend fail2ban, but remember that the attacker might be behind a proxy (they usually are), and even then that IP might not be the router the person is using at home.
Fail2ban now up and running nicely, well it is working LOL (and rather well)
Any tips on using the iptables route or the deny.hosts route?
Additionally, I couldnt find any mail configurations (jails) in there, I'd like to cover pop3 failures too. At the moment, only using ssh/apache/proftpd
This is what failed pop stuff looks like in my /var/log/messages
Note, no sign of an IP address unline my ssh failures.
Code:
Apr 15 14:10:50 morpheus popa3d[2833]: Authentication failed for UNKNOWN USER
Apr 15 14:11:01 morpheus popa3d[2842]: Authentication failed for UNKNOWN USER
Apr 15 14:11:11 morpheus popa3d[2852]: Authentication failed for UNKNOWN USER
Apr 15 14:11:22 morpheus popa3d[2859]: Authentication failed for UNKNOWN USER
Apr 15 14:11:32 morpheus popa3d[2867]: Authentication failed for UNKNOWN USER
my /var/log/maillog shows:
Code:
Apr 15 14:10:40 morpheus sm-mta[2832]: q3FDAeAC002832: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:10:51 morpheus sm-mta[2841]: q3FDApAC002841: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:01 morpheus sm-mta[2851]: q3FDB1AC002851: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:12 morpheus sm-mta[2858]: q3FDBCAC002858: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:22 morpheus sm-mta[2866]: q3FDBMAC002866: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
Apr 15 14:11:32 morpheus sm-mta[2872]: q3FDBWAC002872: server.blackgate.nl [94.1
03.145.204] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection
to MTA
This is where one of my problems arise, as there is no <host> in my logs:
Code:
Apr 15 14:10:50 morpheus popa3d[2833]: Authentication failed for UNKNOWN USER
Apr 15 14:11:01 morpheus popa3d[2842]: Authentication failed for UNKNOWN USER
Apr 15 14:11:11 morpheus popa3d[2852]: Authentication failed for UNKNOWN USER
Apr 15 14:11:22 morpheus popa3d[2859]: Authentication failed for UNKNOWN USER
Apr 15 14:11:32 morpheus popa3d[2867]: Authentication failed for UNKNOWN USER
Quote:
but sm-mta from /var/log/maillog AFAIK are MTA messages, not POP.
I just thought the enties in both messages and maillog were related as you can see the times and also the PIDs match up
A failed pop authentication looks like this in /var/log/messages:
Code:
Apr 16 11:47:35 morpheus popa3d[13635]: Authentication failed for realUsername
I guess I may have two options, one to try and force the pop3d to log IP addresses as well and the other option is to use the IP address in the maillog instead.
This is where one of my problems arise, as there is no <host> in my logs
Crap. I suppose popa3d doesn't support PAM auth either?
Quote:
Originally Posted by plisken
I just thought the enties in both messages and maillog were related as you can see the times and also the PIDs match up
A failed MTA send doesn't necessarily mean a failed POP3(S) login?..
Quote:
Originally Posted by plisken
I guess I may have two options, one to try and force the pop3d to log IP addresses as well and the other option is to use the IP address in the maillog instead.
IMHO if you have two options then it's to make pop3d to log IP addresses or run the daemon from a super server like Xinetd.
i use combo of PAM pam_passwdqc.so and denyhosts service. so i'll share what i do on a rhel 5.7
denyhosts will write sshd specific entries into hosts.deny, 3 failed logins for a known account gets the src a 15min block, after that another 3 failed gets PAM to block for 1hr, so essentially 1hr:15min lockout per 6 failed attempts, then the system will dynamically allow the src IP to auth again after that time period.
for ssh specifically they all work together to deny IP as follows:
Code:
********** PASSWORD REQUIREMENTS AND LOCKOUT **********
changed password requirements and lockout using PAM modules in
/etc/pam.d/system-auth config file
perhaps use the switch "quiet" in pam_tally2 auth for more
"dark" systems, this basically locks the account without
telling user the account was locked. perhaps omit "unlock_time"
for more secure systems, this would force the sys admin to
manually unlock the auth. lockout time is set to 3600 (1hr).
also note the deny is set to 6 (this coincides with sshd_config
and denyhosts). "root" will be tallied. please note, this is
not the same as "passwd -l [user]". we also change the strength
of password hashes for shadow, so in password section notice
that pam_unix.so uses sha512 instead of the default md5.
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
# added pam_tally2 in auth and account
# added use of pam_passwdqc and disabled pam_cracklib in password
auth required pam_tally2.so onerr=fail deny=6 unlock_time=3600 audit
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_tally2.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
#password requisite pam_cracklib.so try_first_pass retry=3
password requisite pam_passwdqc.so min=disabled,disabled,12,8,8 random=0 passphrase=0 retry=3 similar=deny enforce=everyone ask_oldauthtok
password sufficient pam_unix.so sha512 shadow remember=12 try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
================================================
********** hosts.allow AND hosts.deny **********
these files are read by tcpwrappers (/usr/sbin/tcpd)
lets protect inet services from IP that should not be connecting,
etc. note, only services that are wrapped with tcpd will read
these files, etc. hosts.deny will send a email alert if connection
is not from RFC1918, etc. "denyhosts" will also dynamically update
hosts.deny. if hosts.deny gets mucked up real bad then it can be
fixed by copying /etc/hosts.deny.orig.bak back to hosts.deny, etc.
allow localhost IP
# /etc/hosts.allow
# allow all localhost connections
ALL: 127.0.0.0/255.0.0.0
this hosts.deny file will flat-out deny connectivity from any
non-RFC1918 IP.
# /etc/hosts.deny
# deny all non-RFC1918 addresses and alert on such
#
ALL: ALL EXCEPT 10.0.0.0/255.0.0.0, 172.16.0.0/255.240.0.0, 192.168.0.0/255.255.0.0 \
: spawn (/bin/mail -s "ALERT\: ILLEGAL %d ATTEMPT from IP %h" "1@.gov \
2@.gov 3@.gov 4@.gov 5@.gov") &
#######################################################
and yes, i have a line of hashes in there because denyhosts will
dynamically add/remove entries after this line, makes it easy
to see denyhosts entries, etc.
=======================================================
********** denyhosts SERVICE INSTALL **********
denyhosts is a control used to thwart off brute force login attacks,
etc.
this service is used to dynamically update /etc/hosts.deny.
out-of-the-box it watches for failed logins to sshd but can be
used for watching any log for anything you want. this install
is "DenyHosts version: 2.6". two DoS fixes (one REGEX5 and one
REGEX7) were applied to usr/lib/python2.4/site-packages/DenyHosts/regex.py (see https://bugzilla.redhat.com/show_bug.cgi?id=244943
and https://bugzilla.redhat.com/attachment.cgi?id=157433&action=diff).
python is a pre-req (see documentation, etc).
the denyhosts package will install on Red Hat / Fedora, Mandrake,
FreeBSD / OpenBSD, SuSE, Mac OS X. the denyhosts package will
install to /usr/share/denyhosts and there is a README there which
explains everything about denyhosts. this service is setup as a
daemon (a runtime init 2-5 service, run "chkconfig --list |grep
denyhosts" to see. you can control the service using the "service"
command). see the README.
this Linux rhel 5.7 system has access/account controls at several
layers. the 1st layer is network access, and from the host side is
controlled through tcp wrappers (tcpd). sshd by default uses tcpd
(not all services do). sshd_config limits auth tries to 3 before
disconnecting the connection, but this alone does not stop the src
from connecting again, so this is where denyhosts comes in to
assist. denyhosts is configured to block source after 3 consecutive
failed logins (for known accounts) and 10 failed logins (for
unknown accounts) which will result in a 15min src IP network
deny. after 15min the src IP will be purged from the deny list
and is again allowed to connect. after 6 consecutive failed
logins PAM will lock a valid account for 1hr.
configuration is held in /usr/share/denyhosts/denyhosts.cfg (config
options are explained in the README file).
(settings that were changed, all others left at default)
# PURGE_DENY:
PURGE_DENY = 15m
# PURGE_THRESHOLD
PURGE_THRESHOLD = 0
# DENY_THRESHOLD_INVALID
DENY_THRESHOLD_INVALID = 10
# DENY_THRESHOLD_VALID
DENY_THRESHOLD_VALID = 3
# DENY_THRESHOLD_ROOT
DENY_THRESHOLD_ROOT = 3
# DENY_THRESHOLD_RESTRICTED
DENY_THRESHOLD_RESTRICTED = 1
# HOSTNAME_LOOKUP
HOSTNAME_LOOKUP=no
# ADMIN_EMAIL
ADMIN_EMAIL = 1@.gov, 2@.gov, 3@.gov, 4@.gov, 5@.gov
# SMTP_HOST and SMTP_PORT
SMTP_HOST = 10.21.0.59
SMTP_PORT = 25
# SMTP_FROM
SMTP_FROM = DenyHosts <no-reply@myHost.gov>
# SYSLOG_REPORT
SYSLOG_REPORT=YES
# AGE_RESET_VALID
AGE_RESET_VALID=25d
# AGE_RESET_ROOT
AGE_RESET_ROOT=25d
# AGE_RESET_RESTRICTED
AGE_RESET_RESTRICTED=25d
# AGE_RESET_INVALID
AGE_RESET_INVALID=25d
# RESET_ON_SUCCESS
RESET_ON_SUCCESS = yes
# DAEMON_LOG_TIME_FORMAT
DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
# DAEMON_SLEEP
DAEMON_SLEEP = 15s
# DAEMON_PURGE
DAEMON_PURGE = 5m
# SYNC_INTERVAL
SYNC_INTERVAL = 10000h
# SYNC_UPLOAD
SYNC_UPLOAD = no
# SYNC_DOWNLOAD
SYNC_DOWNLOAD = no
Last edited by Linux_Kidd; 04-16-2012 at 11:16 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.