Automatically block "banned" IPs

NotionCommotion · 10-24-2014, 12:14 PM

I've had thousands of attempted breakins from a couple of IPs. When I investigate the IP, I see they are definitely on the naughty list.

It looks like I can block them using:

Code:

/sbin/iptables -A INPUT -s BAN-IP-ADDRESS -j DROP
/sbin/iptables -A INPUT -s BAN-IP-ADDRESS/MASK -j DROP

PS. What is the "MASK" part all about?

Yes, I know if my server is perfectly configured, I probably don't have anything to worry about. Try as I might, I am concerned that maybe I didn't do something perfect.

PS. Is there an online service that I can have interrogate my IP and look for holes?

So, instead of waiting for thousands of attempted breakins, am I able to subscribe to some service which automatically adds IPs that have been previously known to be malicious? I am not worried about accidentally blocking good guys as the server is only accessed by me (I don't wish to whitelist as I often access the server remotely from different IPs).

Thank you

suicidaleggroll · 10-24-2014, 12:34 PM

While I don't know of any global list you could use, have you looked into denyhosts? It monitors your /var/log/messages or /var/log/secure log files for failed access attempts and adds them to hosts.deny automatically. You can configure it to be a permanent ban, a temporary ban that lasts for N days, you can configure the number of failed attempts in a given amount of time for the IP to be banned, and it can treat root login attempts and user login attempts differently as well.

I run it on my home server, and over the last ~3 months (since I re-installed the OS) it's already added over 300 IPs to the ban list. I'll paste them below if you're interested.

One of the nice things about how it works is that if it adds an IP by mistake, all you have to do is put that IP in hosts.allow to whitelist it.

Code:

ALL: 112.96.28.187
ALL: 62.109.29.246
ALL: 222.191.249.132
ALL: 69.22.167.61
ALL: 61.142.106.34
ALL: 61.55.156.196
ALL: 95.84.174.97
ALL: 79.165.2.178
ALL: 192.99.143.239
ALL: 61.174.49.105
ALL: 192.99.143.232
ALL: 177.228.152.66
ALL: 63.233.93.166
ALL: 212.83.150.195
ALL: 177.39.121.236
ALL: 50.199.193.81
ALL: 188.32.82.237
ALL: 37.204.101.34
ALL: 188.255.50.77
ALL: 37.204.61.0
ALL: 166.148.191.64
ALL: 124.82.150.45
ALL: 176.51.67.232
ALL: 218.200.11.142
ALL: 46.48.125.158
ALL: 82.221.109.194
ALL: 176.51.66.192
ALL: 212.164.133.245
ALL: 37.110.119.188
ALL: 196.218.10.178
ALL: 188.255.21.230
ALL: 37.204.116.250
ALL: 172.250.135.221
ALL: 37.110.84.204
ALL: 23.24.28.219
ALL: 5.228.97.53
ALL: 50.246.137.93
ALL: 75.151.143.45
ALL: 24.74.34.145
ALL: 92.255.255.237
ALL: 67.60.234.250
ALL: 37.204.215.254
ALL: 189.193.101.63
ALL: 37.110.29.128
ALL: 64.250.239.62
ALL: 178.140.98.46
ALL: 173.210.37.154
ALL: 209.152.112.32
ALL: 92.127.234.227
ALL: 5.228.225.226
ALL: 173.252.131.5
ALL: 103.11.117.122
ALL: 5.228.221.129
ALL: 63.96.63.234
ALL: 63.147.221.214
ALL: 37.110.131.26
ALL: 87.245.176.250
ALL: 37.204.192.194
ALL: 100.34.40.26
ALL: 188.32.178.204
ALL: 5.228.90.25
ALL: 94.231.125.77
ALL: 218.111.245.17
ALL: 199.217.113.211
ALL: 94.102.63.27
ALL: 61.234.104.167
ALL: 202.146.213.7
ALL: 76.92.216.75
ALL: 77.245.77.230
ALL: 144.0.0.34
ALL: 27.126.156.2
ALL: 144.0.0.21
ALL: 212.115.255.26
ALL: 120.83.3.88
ALL: 128.6.226.98
ALL: 117.79.91.244
ALL: 67.209.226.3
ALL: 212.129.12.75
ALL: 61.147.80.27
ALL: 61.178.136.194
ALL: 203.110.169.43
ALL: 187.63.226.82
ALL: 75.146.233.17
ALL: 108.166.172.133
ALL: 82.221.106.233
ALL: 222.255.174.28
ALL: 114.251.203.101
ALL: 144.0.0.27
ALL: 200.75.106.70
ALL: 5.39.222.144
ALL: 191.234.138.29
ALL: 218.59.209.136
ALL: 202.202.113.159
ALL: 61.167.49.132
ALL: 61.167.49.139
ALL: 58.241.61.162
ALL: 61.167.49.140
ALL: 42.62.17.250
ALL: 101.251.238.61
ALL: 106.185.38.178
ALL: 122.228.207.244
ALL: 61.167.49.141
ALL: 222.163.192.151
ALL: 216.53.210.153
ALL: 122.226.95.158
ALL: 31.199.3.187
ALL: 222.198.125.161
ALL: 61.167.49.144
ALL: 113.17.171.80
ALL: 23.102.172.42
ALL: 219.138.135.70
ALL: 198.1.132.2
ALL: 113.107.233.142
ALL: 61.133.211.118
ALL: 61.167.49.137
ALL: 144.0.0.24
ALL: 211.143.11.123
ALL: 103.255.147.18
ALL: 222.163.192.163
ALL: 115.115.79.152
ALL: 107.170.34.210
ALL: 61.153.104.130
ALL: 61.167.49.143
ALL: 98.126.171.154
ALL: 193.107.17.72
ALL: 222.186.21.38
ALL: 125.65.245.146
ALL: 139.0.12.151
ALL: 61.153.110.181
ALL: 104.131.196.219
ALL: 61.174.51.221
ALL: 222.255.174.14
ALL: 119.147.251.150
ALL: 61.174.51.213
ALL: 27.131.209.164
ALL: 116.10.191.231
ALL: 122.70.133.245
ALL: 64.76.58.153
ALL: 122.225.109.98
ALL: 61.234.146.22
ALL: 162.209.124.231
ALL: 116.10.191.165
ALL: 116.10.191.170
ALL: 60.173.9.39
ALL: 122.225.109.113
ALL: 116.10.191.183
ALL: 219.138.135.63
ALL: 61.167.49.142
ALL: 94.236.193.244
ALL: 116.10.191.173
ALL: 116.10.191.180
ALL: 116.10.191.175
ALL: 116.10.191.167
ALL: 116.10.191.182
ALL: 162.105.13.159
ALL: 213.243.56.252
ALL: 68.68.2.206
ALL: 119.15.156.221
ALL: 116.10.191.179
ALL: 61.143.236.193
ALL: 68.178.154.216
ALL: 116.10.191.186
ALL: 144.0.0.33
ALL: 116.10.191.171
ALL: 1.93.26.15
ALL: 68.68.9.247
ALL: 70.38.11.200
ALL: 65.126.16.92
ALL: 219.138.135.64
ALL: 81.169.231.223
ALL: 106.187.34.181
ALL: 116.10.191.163
ALL: 61.152.108.18
ALL: 166.111.35.136
ALL: 216.246.53.241
ALL: 144.0.0.62
ALL: 116.10.191.169
ALL: 162.144.106.241
ALL: 192.3.160.77
ALL: 46.31.162.154
ALL: 116.10.191.236
ALL: 123.111.128.211
ALL: 104.128.186.139
ALL: 175.22.14.71
ALL: 144.0.0.65
ALL: 222.186.25.36
ALL: 210.70.143.1
ALL: 219.138.135.56
ALL: 1.93.25.234
ALL: 60.190.71.52
ALL: 65.181.118.16
ALL: 64.191.136.155
ALL: 183.136.214.247
ALL: 113.247.227.28
ALL: 46.21.206.166
ALL: 144.0.0.25
ALL: 46.21.205.66
ALL: 64.212.77.14
ALL: 189.203.240.90
ALL: 210.66.73.143
ALL: 144.0.0.44
ALL: 202.104.122.81
ALL: 182.18.166.137
ALL: 222.163.192.148
ALL: 59.173.18.45
ALL: 212.7.212.23
ALL: 211.154.213.117
ALL: 61.147.80.6
ALL: 192.69.94.98
ALL: 62.109.29.157
ALL: 144.76.47.114
ALL: 100.4.166.152
ALL: 187.189.129.94
ALL: 61.153.96.2
ALL: 200.186.145.218
ALL: 75.148.216.82
ALL: 61.144.43.235
ALL: 123.127.36.162
ALL: 189.14.233.2
ALL: 124.90.231.248
ALL: 66.147.241.105
ALL: 49.156.19.68
ALL: 122.228.207.76
ALL: 144.0.0.49
ALL: 96.119.0.246
ALL: 115.115.70.67
ALL: 222.186.52.3
ALL: 221.131.71.123
ALL: 144.0.0.70
ALL: 146.148.46.1
ALL: 58.18.172.171
ALL: 5.45.74.4
ALL: 144.0.0.48
ALL: 193.107.16.206
ALL: 61.138.14.202
ALL: 219.138.135.60
ALL: 202.129.16.27
ALL: 97.89.236.38
ALL: 222.122.30.51
ALL: 119.147.214.35
ALL: 61.174.50.225
ALL: 61.182.170.38
ALL: 122.225.109.124
ALL: 91.240.163.39
ALL: 60.211.213.66
ALL: 61.174.50.172
ALL: 133.242.235.89
ALL: 218.2.0.132
ALL: 198.71.58.200
ALL: 61.174.50.244
ALL: 211.138.30.174
ALL: 113.200.114.230
ALL: 123.24.207.181
ALL: 218.106.254.121
ALL: 117.27.158.78
ALL: 122.225.103.74
ALL: 103.248.81.70
ALL: 222.219.187.9
ALL: 144.0.0.23
ALL: 117.27.158.72
ALL: 218.2.0.133
ALL: 171.92.208.28
ALL: 61.174.50.229
ALL: 117.27.158.89
ALL: 218.2.0.123
ALL: 129.121.177.191
ALL: 117.27.158.91
ALL: 8.27.190.14
ALL: 122.225.103.73
ALL: 117.27.249.29
ALL: 122.225.109.121
ALL: 210.245.88.32
ALL: 209.239.114.179
ALL: 61.174.50.251
ALL: 218.2.0.126
ALL: 114.4.68.100
ALL: 115.47.60.17
ALL: 218.2.0.127
ALL: 177.96.217.46
ALL: 190.115.3.2
ALL: 61.166.189.69
ALL: 218.2.0.130
ALL: 212.83.182.76
ALL: 113.200.188.55
ALL: 61.183.1.8
ALL: 122.225.109.126
ALL: 222.186.58.205
ALL: 61.174.50.249
ALL: 95.85.31.132
ALL: 195.154.77.176
ALL: 184.171.240.227
ALL: 194.84.36.79
ALL: 212.129.11.254
ALL: 89.248.168.64
ALL: 95.163.73.179
ALL: 222.187.220.246
ALL: 177.86.34.12
ALL: 94.19.131.118
ALL: 187.174.116.250
ALL: 123.57.16.1
ALL: 122.193.91.124
ALL: 69.56.221.26
ALL: 62.210.140.164
ALL: 190.123.197.151
ALL: 5.255.86.28
ALL: 72.9.100.130
ALL: 1.93.32.251
ALL: 203.147.88.202
ALL: 213.186.120.4
ALL: 77.245.151.225
ALL: 221.6.233.62
ALL: 58.120.96.236
ALL: 218.155.67.124
ALL: 192.126.120.7
ALL: 162.221.227.101
ALL: 209.126.106.212
ALL: 195.190.82.96
ALL: 109.163.239.207
ALL: 212.129.12.74
ALL: 222.77.96.144
ALL: 196.200.169.50
ALL: 111.68.20.201
ALL: 212.129.49.63
ALL: 31.193.192.222
ALL: 115.146.122.183
ALL: 124.95.165.186
ALL: 93.174.95.41
ALL: 80.82.64.177
ALL: 183.61.183.115
ALL: 61.147.81.213
ALL: 123.57.28.1
ALL: 182.71.107.198
ALL: 192.126.120.74
ALL: 5.231.208.243
ALL: 210.64.103.27
ALL: 113.107.233.165
ALL: 212.176.237.194
ALL: 199.180.115.87
ALL: 182.163.225.55
ALL: 1.93.32.234

Every once in a while I'll get bored and start investigating some of them. So far they all seem to be from Russia or China. Probably some 13 year old idiot wannabe "hackers" running a pre-canned script to try and brute-force root access via ssh.

haertig · 10-24-2014, 01:01 PM

I do this with a script I wrote, probably over a decade ago.

Here's a link to one place here on LQ.org where I mentioned the script (back in 2006) and posted the detailed code:

http://www.linuxquestions.org/questi...6/#post2290296

Habitual · 10-24-2014, 01:41 PM

Quote:

Originally Posted by NotionCommotion

So, instead of waiting for thousands of attempted breakins...

fail2ban out of the box inhibits these abuses.

jefro · 10-24-2014, 03:04 PM

mask = subnet mask? Pretty sure maybe, think so.

propofol · 10-24-2014, 03:44 PM

I also found denyhosts very useful. One additional measure is to use a non standard port for ssh. You could just forward a different port (say 1234) on your router to port 22 on the PC. This makes /etc/hosts.deny a bit shorter.

NotionCommotion · 10-24-2014, 03:51 PM

Thanks all,

Looks like denyhosts just protects again ssh (which is probably most important) while fail2ban is more wide reaching (and probably more complicated). Still undecided on which one to use. Thoughts?

In regards to "mask", the example I posted come from http://www.cyberciti.biz/faq/linux-h...inst-iptables/

suicidaleggroll · 10-24-2014, 04:14 PM

Quote:

Originally Posted by NotionCommotion

Looks like denyhosts just protects again ssh

Well yes and no. It only triggers on failed ssh attempts, but once the IP is added to hosts.deny it will be blocked for all services.

unSpawn · 10-24-2014, 04:54 PM

Quote:

Originally Posted by suicidaleggroll

once the IP is added to hosts.deny it will be blocked for all services.

...note this only works for services that are compiled with libwrap. Also see this and this.

Quote:

Originally Posted by NotionCommotion

fail2ban is more wide reaching (and probably more complicated).

That's a misconception. Fail2ban comes with default filters for over 60 services, works with minimal configuration, works at the network level and can use ipset (meaning you only need one iptables rule!).

NotionCommotion · 10-24-2014, 05:11 PM

Quote:

Originally Posted by unSpawn

That's a misconception.

I take this to mean you recommend I strongly consider Fail2ban. Thank you

unSpawn · 10-24-2014, 06:59 PM

Well it's in not difficult to use.

NotionCommotion · 10-24-2014, 07:12 PM

Quote:

Originally Posted by unSpawn

Well it's in not difficult to use.

Okay.

But would you recommend it for an amateur server guy who has a linux server for web development purposes only which is located on his LAN along with his family's various apple/windows/tv clients?

unSpawn · 10-24-2014, 07:34 PM

Sure. Just check which services you expose to the outside world (asserting your LAN clients are all wellbehaved netizens).