LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-05-2013, 11:39 AM   #16
Slax-Dude
Member
 
Registered: Mar 2006
Location: Valadares, Portugal
Distribution: Slackware
Posts: 243

Rep: Reputation: 63

I agree that blocking entire IP ranges is a bad practice.

This looks promising: https://github.com/qrux/deny-ssh
You will have to adapt the supplied init script, but it looks trivial to do so.
 
1 members found this post helpful.
Old 06-05-2013, 12:28 PM   #17
PrinceCruise
Member
 
Registered: Aug 2009
Location: /Universe/Earth/India/Pune
Distribution: Slackware64 14.1/Current, CentOS 6.5/7.0
Posts: 714

Rep: Reputation: Disabled
Quote:
Originally Posted by H_TeXMeX_H View Post
I have been the victim of this many times and in many places.
Me too. I couldn't ever access PCLinuxOS forums because they have banned most of the Indian and Chinese ISPs. Their administrator who was very friendly explained the cause behind banning almost everything coming from India and China.

I too believe that its not really a politically correct method but in this case of your precious network vs. spammers, this once is the sanest way.

Regards.
 
Old 06-05-2013, 01:25 PM   #18
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,007

Rep: Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742
I was going to mention DenyHosts (which I've used for years with great success); agreeing (somewhat) with the "Python" downside to DenyHosts discussed at the deny-ssh site. deny-ssh looks like a useful tool.

Both DenyHosts and deny-ssh approach the problem from the standpoint of "you tried to break in on my system, so you're guilty, and you're gone," where "gone" means an entry in /etc/hosts.deny (darned effective, too). DenHosts will optionally create IPTABLES entries (don't know about ssh-deny) if that's your preference.

After running DenyHosts for a couple of years I took a look at where all the attempts were coming from (there where something on the order of 2,500 individual sites; there are a lot more now in my /etc/hosts.deny). Most of it was originating in China -- on the order of 1,800 attempts -- some from Russia, some from Bulgaria, some from Brazil, a few from Korea (both of them) and a bunch US-based script kiddies. What DenyHosts does is look at your log for failed log in attempts -- you can configure the number of failure that earns an entry in /etc/hosts.deny; they're usually SSH attempts on accounts that, by default in Slackware, do not permit a log in to start with (like wheel, admin, etc.).

After analyzing the domains that attacks originated from, and considering possible reasons anyone in; e.g., China, would have in my servers (basically none) along with the reports coming from government and industry about such attacks (this is some years ago, not last week) I simply decided to shut off access completely. They were not successful getting though DenyHosts, but the volume kept growing and I just decided that enough was enough -- I don't need to put up with this crap from anybody.

Contrary to some above opinions, I don't shut off US-based sites (they get caught by DenyHosts) -- I assume they're Windows boxes that have been compromised or script kiddies and let that be that. I don't shut off any domain until proven guilty but when I see increasing attacks, that's it, bubba, you're gone and you will not be welcomed back anytime soon.

I use /etc/hosts.allow as a white list where there is a legitimate site that requests access, I don't have a problem with that (and there is a long list of those).

I've liked DenyHosts because it just sits there doing its thing and I don't have to mess with it -- I get mail that some site or other as been added to /etc/hosts.deny, I scan though the log weekly or so just to see what's what and who's been doing what with which and to whom.

deny-ssh looks, to me, like a Good Thing and I'll be evaluating it for a while.

This is not a matter of having friends in different places around the world -- I do and I value them -- it's a matter of deliberate, determined action by whatever means to compromise me, you, news organizations, corporations, banking, government and who knows what-all to steal information, plans, methods and, potentially, shutting down infrastructure, that just scares the hell out me. I haven't got anything anybody would want but, dammit, I will do whatever I have to so as to prevent whoever from screwing with my systems -- I'm glad to share and more than willing to do so but I will not tolerate thieves in the night.

From what I've been seeing, it looks an awful lot like state-sponsored intrusions are real, not some figment of somebody's imagination, and they seem to be originating mostly from one part of the world, maybe one specific address in one specific city and they're becoming more and more common.

Shut the bastards off and be done with it, methinks, instead of cleaning up after they've been unwelcome visitors.

Last edited by tronayne; 06-05-2013 at 02:06 PM.
 
2 members found this post helpful.
Old 06-05-2013, 02:25 PM   #19
guanx
Senior Member
 
Registered: Dec 2008
Posts: 1,014

Rep: Reputation: 145Reputation: 145
Quote:
Originally Posted by tronayne View Post
...

When I start to see crap coming from somewhere that would have zero interest in my servers, I simply block the entire country and be done with it. That might be harsh, but anyplace that encourages (or sponsors!) these sorts of activities I have no reason to allow them on the property as it were.

...
Smart! One harmful, kill them all. This is what the U.S. had been doing to the American indians. And the U.S. did achieve great success nowadays.
 
Old 06-05-2013, 02:28 PM   #20
guanx
Senior Member
 
Registered: Dec 2008
Posts: 1,014

Rep: Reputation: 145Reputation: 145
Quote:
Originally Posted by kikinovak View Post
...
I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.
...
Every word here indicates that you need a white list.
 
Old 06-05-2013, 03:23 PM   #21
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by guanx View Post
Smart! One harmful, kill them all. This is what the U.S. had been doing to the American indians. And the U.S. did achieve great success nowadays.
Please try to keep this thread on topic.
 
Old 06-05-2013, 03:32 PM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
In addition to what's been replied earlier on, two things:
- application vs network layer (security): tcp_wrappers vs iptables and
- multiple rules vs one iptables rule (performance, ease of use): iptables vs ipset.
 
Old 06-05-2013, 07:14 PM   #23
guanx
Senior Member
 
Registered: Dec 2008
Posts: 1,014

Rep: Reputation: 145Reputation: 145
Quote:
Originally Posted by unSpawn View Post
Please try to keep this thread on topic.
Your network is so slow that you could not read my last post right above this of yours.
 
Old 06-05-2013, 08:33 PM   #24
jefro
Guru
 
Registered: Mar 2008
Posts: 11,098

Rep: Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362Reputation: 1362
No, you misread his post. It was not directed at you.


You could go and send out self signed certificates to authenticate. If you have a safe way to send them and change them once in a while it would restrict all others.

It is kind of a shame that the internet has become so much of a wild west. Institutional hacking is coming mostly from a few places. They tend to try and get unsuspecting users computers in other countries to do their dirty work so banning a country is only part of the solution.

There is nothing wrong with blocking entire countries. Blocking generally honest countries that have no business use in your wan does no harm.
 
Old 06-05-2013, 09:17 PM   #25
chrisretusn
Member
 
Registered: Dec 2005
Location: Philippines
Distribution: Slackware
Posts: 469

Rep: Reputation: Disabled
I get blocked from a few sites because of were I live. Sux.
 
Old 06-05-2013, 09:53 PM   #26
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 800

Rep: Reputation: 157Reputation: 157
I've just started using fail2ban to automatically ban just those specific IP addresses that attempt intrusions. It seems to be doing a good job so far.
 
1 members found this post helpful.
Old 06-06-2013, 11:54 AM   #27
gezley
Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware64, NetBSD
Posts: 490

Rep: Reputation: 207Reputation: 207Reputation: 207
Quote:
Originally Posted by kikinovak View Post
First of all, my apologies to all the chinese and russian Slackware users in this forum. But here goes.

I'm running a few dedicated servers for clients, with a handful of specialized services like library management or school management. It's all more or less running on LAMP servers and supposed to be accessed around here, meaning in South France.

I have many hostile connections on these machines, mostly brute force attempts, which I keep out with a couple of iptables rules limiting the number of connections per minute. Only I'm facing a real tsunami here, and I thought about a more radical solution.

Is there a way to block whole countries using iptables? I've tracerouted some folks back, and they seem to originate mostly from China and Russia, with the odd Nigerian IP.

Any suggestions?
I feel it is completely against the spirit of the internet to block entire countries. To mitigate these attacks I prefer to use the PF firewall on a {Net,Open}BSD system coupled with Hiawatha as my web server of choice. Both of these in my opinion do a better job of securing the perimeter against DoS and other attacks. I won't pretend my little server has anything like the traffic your servers have but I do feel much more confident with this setup than I would with netfilter and apache.
 
Old 06-13-2013, 06:10 AM   #28
bonowax
Member
 
Registered: Jul 2006
Location: Suburbs of Lisbon, Portugal
Distribution: Slackware, FreeBSD
Posts: 61

Rep: Reputation: 16
Hi, slackers;

I've used OSSEC in the past to mitigate brute force attacks and script kiddies. It created IPTABLES rules on the fly, while monitoring logs for failed and repetitive connection attempts to listening daemons. It was configurable in rules, thresholds and actions, although defaults were enough for most situations.

Put simply and as an exemple, 15 repetitive failed attempts to log in through SSH from the same IP, would generate na IPTABLES rule that would block that IP. This rule would be dinamically removed 30 minutes later.

Serves you whether your attacker is based in Russia, Portugal or the US and doesn't block legit users.

Cheers
 
1 members found this post helpful.
Old 06-13-2013, 08:27 AM   #29
eloi
Member
 
Registered: Nov 2010
Posts: 194

Rep: Reputation: 48
Hi kikinovak

What you see is normal and suffered for all web servers. The attacks will come from all around the world, the attacker uses machines all around the world.

Search on your /var/log/httpd/*access_log for recurring text chain used by the attackers and do something like this:

Code:
#!/bin/sh

[ $UID -ne 0 ] && echo "You must be root to run this" && exit 1

dir=/root/bin

# These are two of the chains I normally see on my web server:
chain='phpmyadmin\|w00tw00t'

mv $dir/iplist /tmp/old-iplist

grep -h $chain /var/log/httpd/*access_log \
       	| awk '{ print $1 }' | sort | uniq >/tmp/new-iplist

grep -o 'Invalid user .* from .*' /var/log/messages \
       	| awk -F ' ' '{ print $5 }' | sort | uniq >>/tmp/new-iplist

cat /tmp/old-iplist /tmp/new-iplist | sort | uniq > $dir/iplist

# Clean empty lines
sed -i /^$/d $dir/iplist

# Clean firewall rules
/etc/rc.d/rc.firewall restart >/dev/null

while read line ; do
	iptables -I INPUT -s $line -j DROP
done < $dir/iplist

rm /tmp/old-iplist
rm /tmp/new-iplist

exit 0
And add a crontab entry.

It's not a solution but it will entretain you a bit .


Walter
 
1 members found this post helpful.
Old 06-13-2013, 08:27 AM   #30
eloi
Member
 
Registered: Nov 2010
Posts: 194

Rep: Reputation: 48
Hi kikinovak

What you see is normal and suffered for all web servers. The attacks will come from all around the world, the attacker uses machines all around the world.

Search on your /var/log/httpd/*access_log for recurring text chain used by the attackers and do something like this:

Code:
#!/bin/sh

[ $UID -ne 0 ] && echo "You must be root to run this" && exit 1

dir=/root/bin

# These are two of the chains I normally see on my web server:
chain='phpmyadmin\|w00tw00t'

mv $dir/iplist /tmp/old-iplist

grep -h $chain /var/log/httpd/*access_log \
       	| awk '{ print $1 }' | sort | uniq >/tmp/new-iplist

grep -o 'Invalid user .* from .*' /var/log/messages \
       	| awk -F ' ' '{ print $5 }' | sort | uniq >>/tmp/new-iplist

cat /tmp/old-iplist /tmp/new-iplist | sort | uniq > $dir/iplist

# Clean empty lines
sed -i /^$/d $dir/iplist

# Clean firewall rules
/etc/rc.d/rc.firewall restart >/dev/null

while read line ; do
	iptables -I INPUT -s $line -j DROP
done < $dir/iplist

rm /tmp/old-iplist
rm /tmp/new-iplist

exit 0
And add a crontab entry.

It's not a solution but it will entretain you a bit .


Walter
 
1 members found this post helpful.
Old 06-15-2013, 05:45 PM   #31
guanx
Senior Member
 
Registered: Dec 2008
Posts: 1,014

Rep: Reputation: 145Reputation: 145

Quote:
Originally Posted by tronayne View Post
...
After running DenyHosts for a couple of years I took a look at where all the attempts were coming from (there where something on the order of 2,500 individual sites; there are a lot more now in my /etc/hosts.deny). Most of it was originating in China -- on the order of 1,800 attempts -- some from Russia, some from Bulgaria, some from Brazil, a few from Korea (both of them) and a bunch US-based script kiddies.
...
According to Edward Snowden, I believe the attempts form China are actually originated from the United States. The hosts in your deny list are Chinese zombies controlled by U.S. crackers. Because the U.S. has the most powerful military and the most advanced high-tech in the world, I agree it's a good idea to block off the U.S. crackers by blocking China.

When your enemy is China, nothing to fear; but when the U.S. lies behind, very dangerous!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to block IP range of China Russia and other countries. rahilmaknojia Linux - Security 15 08-03-2010 07:21 AM
LXer: MySQL founder asks China, Russia to stop Oracle LXer Syndicated Linux News 0 01-19-2010 12:10 AM
hi from Russia dr_sad LinuxQuestions.org Member Intro 4 12-23-2005 02:46 AM
script to block IPs from Korea, China, Taiwan?? latino Linux - Security 4 09-05-2005 09:57 PM


All times are GMT -5. The time now is 07:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration