LinuxQuestions.org - CentOS 5.5 - iptables keeps clearing

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - CentOS 5.5 - iptables keeps clearing (https://www.linuxquestions.org/questions/linux-security-4/centos-5-5-iptables-keeps-clearing-922296/)

CentOS 5.5 - iptables keeps clearing

I had moved this from another forum... I should not have had it there, please forgive me for mis-labeling!

Version:

Linux version 2.6.18-028stab093.2 (root@rhel5-build-x64) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Tue Aug 23 16:27:58 MSD 2011
CentOS release 5.5 (Final)

I have root access on my VPS.

I keep adding rules to iptables, I save, and everything is good for awhile. But without restarting, eventually it is cleared and I have no idea why! I am going to guide you through exactly what I am doing:

1) I log in to the VPS
2) List the iptable contents:

Code:

[root@server init.d]# iptables --list

Chain INPUT (policy ACCEPT)

target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

3) I add a few rules... I will keep this to three just for demo purposes;

Code:

[root@server init.d]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@server init.d]# iptables -A INPUT -p tcp --dport ssh -j ACCEPT

[root@server init.d]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

4) Verify:

Code:

[root@server init.d]

# iptables --list

Chain INPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

5) Save

Code:

[root@server init.d]# /sbin/service iptables save

Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

6) Restart the service:

Code:

[root@server init.d]# service iptables stop

Flushing firewall rules:                                  [  OK  ]

Setting chains to policy ACCEPT: mangle filter            [  OK  ]

Unloading iptables modules:                                [  OK  ]



[root@server init.d]# service iptables start

Flushing firewall rules:                                  [  OK  ]

Setting chains to policy ACCEPT: mangle filter            [  OK  ]

Unloading iptables modules:                                [  OK  ]

Applying iptables firewall rules:                          [  OK  ]

7) List all of the iptable rules:

Code:



[root@server init.d]# iptables --list

Chain INPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

I wait about 10 minutes without doing ANYTHING to the server, not logging out of SSH, not restarting the container or anything.

Then I type "service iptables status" and there are NO RULES anymore?:

Code:

[root@server init.d]# service iptables status

Table: mangle

Chain PREROUTING (policy ACCEPT)

num  target    prot opt source              destination



Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain POSTROUTING (policy ACCEPT)

num  target    prot opt source              destination



Table: filter

Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination

Same thing if I invoke the "iptables --list" command:

Code:

[root@server init.d]# iptables --list

Chain INPUT (policy ACCEPT)

target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

BUT if it go ahead and start the service again...

Code:

[root@server init.d]# service iptables start

Flushing firewall rules:                                  [  OK  ]

Setting chains to policy ACCEPT: mangle filter            [  OK  ]

Unloading iptables modules:                                [  OK  ]

Applying iptables firewall rules:                          [  OK  ]

and check the status..

Code:

[root@server init.d]# service iptables status

Table: mangle

Chain PREROUTING (policy ACCEPT)

num  target    prot opt source              destination



Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain POSTROUTING (policy ACCEPT)

num  target    prot opt source              destination



Table: filter

Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination

what? nothing ? why? try that again:

Code:

[root@server init.d]# service iptables start

Flushing firewall rules:                                  [  OK  ]

Setting chains to policy ACCEPT: mangle filter            [  OK  ]

Unloading iptables modules:                                [  OK  ]

Applying iptables firewall rules:                          [  OK  ]

Look at it with list, and then status:

Code:

[root@server init.d]# iptables --list

Chain INPUT (policy ACCEPT)

target    prot opt source              destination

ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh

ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http



Chain FORWARD (policy ACCEPT)

target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

target    prot opt source              destination

[root@server init.d]# service iptables status

Table: mangle

Chain PREROUTING (policy ACCEPT)

num  target    prot opt source              destination



Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain POSTROUTING (policy ACCEPT)

num  target    prot opt source              destination



Table: filter

Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination

1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

2    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22

3    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination



[root@server init.d]# service iptables status

Table: mangle

Chain PREROUTING (policy ACCEPT)

num  target    prot opt source              destination



Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain POSTROUTING (policy ACCEPT)

num  target    prot opt source              destination



Table: filter

Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination

1    ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

2    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22

3    ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination

now... if I wait for a little while... POOF they are gone again! I know these things are stored in memory, is there some other service that can be restarting that could be clearing iptables -t filter?

This is on a web server, could I edit etc/init.d/httpd and add the line "service iptables start" somewhere to ensure if httpd restarts it restarts iptables too?

There has to be something actively clearing this out

check your crontab for something like the following....

Code:

*/10 * * * * /sbin/iptables -F

This would actually be advisable anyway while testing firewall rules just in case you lock yourself out, but to have it in there once you release into production, etc., is going to produce the problem you have pointed out.

I like to disable selinux too, but that's prolly not the problem.

Question: Is this an OpenVZ VPS?

Lemme know I'm interested in following your issue.

I hope that helps :)

Kindest regards,

.

No CronTabs set up right now... but yeah, I probably should do that while testing.

Code:

[root@server init.d]# crontab -l

no crontab for root

Not really sure how to determine if it is a OpenVZ VPS. I know it says something like "Parallels Virtuozzo Containers 4.0" and runs the "Parallels Power Panel".

The reason I am all over this iptables thing right now is I have been getting dozens of "brute force monitor" emails from Direct Admin's new brute force monitor (control panel for my web sites).

I have a script I am integrating in to direct admin to populate iptables when and IP Address goes over 20 attempts in 24 hours. (and it is not my ip of course :) )

Does this help anyone any? I am baffled here.

Quote:

Originally Posted by markbad311 (Post 4567427)

This is on a web server, could I edit etc/init.d/httpd and add the line "service iptables start" somewhere to ensure if httpd restarts it restarts iptables too?

NO. don't do that (but the answer to your question is yes you could).

Your firewall should start long before any services like that.

Do some of the following so we can see just what your setup for:

Code:

# /etc/init.d/iptables stop

# chkconfig --list iptables

iptables 0:off  1:off  2:off  3:off  4:off  5:off  6:off

# chkconfig --level 345 iptables on

# chkconfig --list iptables

iptables 0:off  1:off  2:off  3:on    4:on    5:on    6:off

# service iptables start

Put all of your rules into the /etc/sysconfig/iptables file. This is the default and when you start your firewall with either 'service iptables start|stop|restart' or '/etc/init.d/iptables start|stop|restart', that's the file that is expected to contain your rules.

Again, don't start your firewall from /etc/init.d/httpd!!! - it has its own startup script at /etc/init.d/iptables ;)

You may also like to see what's going on in realtime (well, one second increments anyway) to see exactly when your firewall is getting hosed:

Code:

# watch -n1 netstat -tulpn

and

Code:

watch -n1 iptables -L

Personally, I'm not a fan of saving my netfilter tables. I like to know that my firewalls are starting from my script (/etc/sysconfig/iptables) and that it is exactly as that file specifies.

Since your firewall should start at boot right at the point where the network services are coming up (and obviously before SSHD or HTTPD), any changes you make or need to make will be reflected in the firewall script, not some saved configuration you may not be completely sure about - but that's just me.

As I mentioned before, I'm not a fan of selinux. It does have its uses at times, but I hardly ever use it and therefore completely disable it. selinux interferes with some things in weird ways, and you'll find that many install docs have you disable it before beginning your setups.

If you don't know that you need it. I recommend disabling it (Yes, some RH'ers will prolly flame me for that advice but many distros don't even include it because of these reasons).

A quick way to turn it off is below:

Code:

# setenforce 0

# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

FYI: I haven't addressed IPv6 here ;)

I hope that helps :)

Kindest regards,

.

Quote:

Originally Posted by markbad311 (Post 4567487)

No CronTabs set up right now... but yeah, I probably should do that while testing.

Code:

[root@server init.d]# crontab -l

no crontab for root

Not really sure how to determine if it is a OpenVZ VPS. I know it says something like "Parallels Virtuozzo Containers 4.0" and runs the "Parallels Power Panel".

Okay. Yes, it's OpenVZ. Rather, it's the commercial version (Parallels).

I know what's going on now. You're fighting yourself :)

The Parallels power panel is where you should be inserting your firewall rules. doing it directly on the CLI will get wiped as there are all kinds of automated monitors and safeguards built into your VPS.

So unless you disable that stuff, just use their control panel gui for your container and make your adjustments there. That includes cronjobs, etc.

What's happening is since the changes aren't being made via their control panel, they're getting wiped because they're not in that firewall app in the control panel - it's annoying, but for the purposes of having a point and click management tool it's a good thing, since, if someone were to do some weird things to your machine it would get reset (ergo, the source of your frustrations).

Quote:

Originally Posted by markbad311 (Post 4567487)

The reason I am all over this iptables thing right now is I have been getting dozens of "brute force monitor" emails from Direct Admin's new brute force monitor (control panel for my web sites).

Okay, put these two lines in (noting that port 22 is SSH by default unless you have changed it, so change that to whatever port your SSH daemon is listening on if you did change it.

Code:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 14495 --hitcount 8 --rttl --name SSH -j DROP

Most people put the seconds to 60, which rate limits it but heck, make it something like a big prime number because you have a console you can log into w/Parallels anyway if you lock yourself out from being able to ssh in and besides that, LOL, you prolly aren't going to mess up your login 8 times in a row ;)

This will make those brute force attacks *vanish* :)

Quote:

Originally Posted by markbad311 (Post 4567487)

I have a script I am integrating in to direct admin to populate iptables when and IP Address goes over 20 attempts in 24 hours. (and it is not my ip of course :) )

Excellent. But I'm a little bit meaner. I do it either forever or like I mentioned above, with a REALLY BIG PRIME number.

The reason being is that certain intervals like 60 seconds, 5 minutes, 60 minutes, and 24 hours are easy for a prober to ascertain, and they'll get another 20 attempts, which in the case of a weak password might be able to get cracked in a year or two of you not even knowing it's still going on.

Call me paranoid, but if you do, call me secure ;)

One last thing, you might want to take a gander at my article on securing SSHD at my website below. It's pretty comprehensive as a guide to disable passwords completely and use encrypted keys instead, as well as changing the port that SSHD listens on.

Some people even run two SSH daemons, one which is on 22 and does nothing but waste the time of the scanners and one that is on an obscure port that you use.

All in all it sounds like you're taking security seriously, which is not only commendable, but will save you from a lot of tears and hard lessons other people just don't seem to ever learn.

Lemme know if this takes care of your problem okay?

Kindest regards,

.

Quote:

Originally Posted by tallship (Post 4567506)

So unless you disable that stuff, just use their control panel gui for your container and make your adjustments there. That includes cronjobs, etc.

Let's hope I can, because I rarely can log in to the darned thing. I always have to login via my IP address, and it always resets my connection to my browser.

So, really... that is what I am now on the hunt for. How to disable their iptable "wiper" because frankly, I think iptables is more secure from what I read, and I can more easily script iptables from the brute force monitor using php or a cron job.

Code:

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 14495 --hitcount 8 --rttl --name SSH -j DROP

I guess the trick would be to get this in to their GUI rather then iptables right? At least until it is disabled.

Besides, I get goofy errors with some of the more complex rules:

Code:

[root@server ~]#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables: Unknown error 4294967295

Quote:

Originally Posted by tallship (Post 4567506)

All in all it sounds like you're taking security seriously, which is not only commendable, but will save you from a lot of tears and hard lessons other people just don't seem to ever learn.

My plan is to build a easier to use, read, track, and block system off of direct admin's brute force monitor.
Insert records in a mysql db automatically based on your brute force monitor's criteria for notifications
Create rules on the fly, and rebuild the iptable nightly and restart the service
send me a end of the week security report.
send me a "high activity" sms alert anytime activity reaches a to be determined level.

I am also going to integrate the same system with my web request forms, so when I or clients get spammed, it gets added from a link in the email and that dude is done for.

I will keep you updated, have not found anything definitive yet.

using "watch -n1 iptables -L" I can determine every five minutes on the 3rd second my settings are getting wiped.

I looked closer at my crontab settings in /ect/

Code:

*/5 * * * * root /etc/init.d/apf stop >> /dev/null 2>&1

Commented that out and WAHLAA!

Here is the unique IP addresses and their rules the last 15k hits

Code:

[root@server etc]# service iptables status

Table: mangle

Chain PREROUTING (policy ACCEPT)

num  target    prot opt source              destination



Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination



Chain POSTROUTING (policy ACCEPT)

num  target    prot opt source              destination



Table: filter

Chain INPUT (policy ACCEPT)

num  target    prot opt source              destination

1    DROP      all  --  109.73.10.10        0.0.0.0/0

2    DROP      all  --  112.220.98.51        0.0.0.0/0

3    DROP      all  --  118.213.88.23        0.0.0.0/0

4    DROP      all  --  118.26.232.230      0.0.0.0/0

5    DROP      all  --  125.131.117.212      0.0.0.0/0

6    DROP      all  --  125.88.112.11        0.0.0.0/0

7    DROP      all  --  178.18.16.145        0.0.0.0/0

8    DROP      all  --  180.153.139.4        0.0.0.0/0

9    DROP      all  --  182.18.188.46        0.0.0.0/0

10  DROP      all  --  184.107.124.76      0.0.0.0/0

11  DROP      all  --  190.136.182.156      0.0.0.0/0

12  DROP      all  --  200.107.236.164      0.0.0.0/0

13  DROP      all  --  201.26.172.55        0.0.0.0/0

14  DROP      all  --  202.96.199.150      0.0.0.0/0

15  DROP      all  --  208.115.247.251      0.0.0.0/0

16  DROP      all  --  210.25.137.232      0.0.0.0/0

17  DROP      all  --  211.140.3.183        0.0.0.0/0

18  DROP      all  --  211.236.245.187      0.0.0.0/0

19  DROP      all  --  218.3.163.67        0.0.0.0/0

20  DROP      all  --  219.140.165.85      0.0.0.0/0

21  DROP      all  --  222.90.232.36        0.0.0.0/0

22  DROP      all  --  49.212.60.183        0.0.0.0/0

23  DROP      all  --  60.13.74.178        0.0.0.0/0

24  DROP      all  --  60.171.214.30        0.0.0.0/0

25  DROP      all  --  62.212.68.132        0.0.0.0/0

26  DROP      all  --  66.246.246.13        0.0.0.0/0

27  DROP      all  --  85.10.215.12        0.0.0.0/0

28  DROP      all  --  88.191.152.141      0.0.0.0/0

29  DROP      all  --  88.80.20.1          0.0.0.0/0

30  DROP      all  --  91.211.52.53        0.0.0.0/0

31  DROP      all  --  91.93.35.75          0.0.0.0/0

32  DROP      all  --  93.182.132.103      0.0.0.0/0

33  DROP      all  --  95.211.135.151      0.0.0.0/0

34  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22

35  ACCEPT    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80



Chain FORWARD (policy ACCEPT)

num  target    prot opt source              destination



Chain OUTPUT (policy ACCEPT)

num  target    prot opt source              destination

Now since we are on the subject... how can I make this list a little better? I will read the ssh stuff you have Bradley but I am sure there is some quick and dirty I can do... and unfortunately some of the stuff you sent me won't parse;

Code:

[root@server ~]#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables: Unknown error 4294967295

Quote:

Originally Posted by markbad311 (Post 4567581)

Code:

[root@server ~]#iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables: Unknown error 4294967295

The line looks good and IIRC the error is specific to VPS: a dom0 user has to load and then make available kernel modules first so best contact them and ask.

Quote:

Originally Posted by unSpawn (Post 4567826)

The line looks good and IIRC the error is specific to VPS: a dom0 user has to load and then make available kernel modules first so best contact them and ask.

I sent my hosting provider a note about this and they said:

Quote:

Thank you for contacting our Technical Support Department.

I have consulted with our administrators on this matter . The reason for the error is that actually your command is not correct at all. Do note that you are on a VPS which is a virtual and not real server. You are trying to set command for eth0 which is a physical network card and does not exist on a virtual server . In the VPS systems the virtual network cards are from the type venetXXX for example.

Let us know if we can do anything else for you.

Then I said to myself... damn, they are right, better check that out:

Code:

[root@server ~]# ifconfig -a

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:40 errors:0 dropped:0 overruns:0 frame:0

TX packets:40 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:3320 (3.2 KiB) TX bytes:3320 (3.2 KiB)



venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00

inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255. 255

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

RX packets:20854 errors:0 dropped:0 overruns:0 frame:0

TX packets:21069 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:2678331 (2.5 MiB) TX bytes:4453578 (4.2 MiB)



venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00

inet addr:216.65.1.90 P-t-P:216.65.1.90 Bcast:216.65.1.90 Mask:255. 255.255.255

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1



venet0:1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 -00

inet addr:209.25.134.76 P-t-P:209.25.134.76 Bcast:209.25.134.76 Mas k:255.255.255.255

UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1



[root@server ~]#

[root@server ~]# iptables -A INPUT -i venet0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

iptables: Unknown error 4294967295

Well, that didn't work, oh... wrong card.

Code:

[root@server ~]# iptables -A INPUT -i venet0:0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

Warning: wierd character in interface `venet0:0' (No aliases, :, ! or *).

iptables: Unknown error 4294967295

Well, maybe it is the last one...

Code:

[root@server ~]# iptables -A INPUT -i venet0:1 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH

Warning: wierd character in interface `venet0:1' (No aliases, :, ! or *).

iptables: Unknown error 4294967295

hmm... stumped.

I noticed someone talking about being on a "Castrated VPS" could that be my issue here? Is there any other way to add it?

I can see two things to try: either have a "-i lo -j ACCEPT" as first rule and in subsequent rules just don't list a real or virtual ethernet device name or use the main virtual device name "-i venet0" but specify the alias address, in your case "-i venet0 -s 216.65.1.90" or "-i venet0 -s 209.25.134.76". As for ethernet OpenVZ can be configured with a venet (Layer 3) or veth (Layer 2) virtual ethernet device (see http://wiki.openvz.org/) but that's something the Host Node user configures for a container and not something you can change from inside your VPS.

Alright, I will keep messing around with this.

My initial reason to open this ticket is now resolved.

Does anyone want a free toy?

Here you go:

This piece of php code goes in to your /usr/local/directadmin/data/<username>/ directory. Edit it and give it your db name, userid, and password and it will grab you direct admin log file, and throw it in to that database:

Code:

#!/usr/local/bin/php

<?php

ini_set("display_errors", "1");

ini_set('max_execution_time', 0); 

ini_set('max_input_time', 0); 

set_time_limit(0);

error_reporting(E_ALL);



$sysHost = "localhost";

$sysDb = "yourdb";

$sysUser = "youdbuser";

$sysPw = "password";



$PATH_TO_LOG = "brute_log_entries.list";



$Conn = mysql_connect($sysHost, $sysUser, $sysPw) or die (mysql_error());

$db = mysql_select_db($sysDb, $Conn) or die (mysql_error());        



if (($handle = fopen($PATH_TO_LOG, "r")) !== FALSE) 

{

        $line = 0;

        while (!feof($handle))

        {

                

                $line_of_text = urldecode(fgets($handle));



                if ($line_of_text != "")

                {

                        $arr = split('&', str_replace("\n", "", strstr($line_of_text, "attempts=")));

                        

                        if(is_array($arr))

                        {

                                for($i=0; $i<count($arr);$i++)

                                {

                                        $tmpArr = $arr[$i];

                                        $tmpArr = split("=", $tmpArr);

                                        

                                        if(is_array($tmpArr))

                                        {                        

                                                if(isset($tmpArr[0]) && isset($tmpArr[1]))

                                                        $arrSplitted[$line][$tmpArr[0]] = $tmpArr[1];        

                                                elseif(isset($tmpArr[0]) && !isset($tmpArr[1]))

                                                        $arrSplitted[$line][$tmpArr[0]] = '';

                                        }#End array test

                                }#End File line loop

                        }#End array test

                }#End Empty test

                $line++;

        }#End While





        //Create the table these records will be inserted in to, use if not exists so it won't keep doing it.

        $CreateTable = "CREATE TABLE IF NOT EXISTS `dynamiciptables` (

                                          `id` bigint(20) NULL auto_increment,

                                          `ip` varchar(50) NULL,

                                          `user` varchar(50) NULL,

                                          `attempts` int(11) NULL,

                                          `filter` varchar(100) NULL,

                                          `log` text NULL,

                                          `time` int NULL,

                                          PRIMARY KEY  (`id`),

                                          KEY `ip` (`ip`,`User`),

                                          KEY `User` (`User`)

                                        ) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1;";

        mysql_query($CreateTable, $Conn) or die(mysql_error());

        

        //If it is already created, lets nix the contents and insert a fresh copy of the log.

        mysql_query("TRUNCATE TABLE  `dynamiciptables` ", $Conn) or die(mysql_error());



        $flushCount = 1;

        $totalInserts = 0;

        $sql = 'INSERT INTO  `dynamiciptables`(`ip`, `user`, `attempts`, `filter`, `log`, `time`) VALUES ';

        for($r=0; $r < count($arrSplitted);$r++)

        {

                //echo $r . "=>" . $arrSplitted[$r]["ip"] . ', ' . $arrSplitted[$r]["filter"] . ', ' . $arrSplitted[$r]["user"] . ', ' . $arrSplitted[$r]["attempts"]. ', ' . $arrSplitted[$r]["log"]. ', ' . $arrSplitted[$r]["time"] . '<br/>

                //';



                if($flushCount == 1)

                {

                        $sql = 'INSERT INTO  `dynamiciptables`(`ip`, `user`, `attempts`, `filter`, `log`, `time`) VALUES ';

                }

                else

                {

                        $sql .= ",";

                }

                        

                $sql .= " ('".sanitize($arrSplitted[$r]["ip"])."',  '".sanitize($arrSplitted[$r]["user"])."',  '".sanitize($arrSplitted[$r]["attempts"])."',  '".sanitize($arrSplitted[$r]["filter"])."',  '".sanitize($arrSplitted[$r]["log"])."',  '".sanitize($arrSplitted[$r]["time"])."')";



                if($flushCount >= 20) #Every 20 lets insert

                {        

                        mysql_query($sql .';', $Conn) or die("<strong>SQL</strong>: " . $sql . "<br/><br/><strong>Error</strong>:" . mysql_error());



                        $sql = '';

                        

                        $totalInserts += $flushCount;

                        $flushCount = 0;

                        

                }

                

                $flushCount++;

        }



        echo  'A total of '. $totalInserts . ' records have been added to the "dynamiciptables" table.';



}

else

{

        echo 'Did not open file';        

}





function sanitize($input)

{

        if(get_magic_quotes_gpc())

                $input = stripslashes($input);

        

        //I found some instances of html being in the logs.

        if(strpos($input,"<") || strpos($input,">"))

                $input = str_replace("<","&lt;",str_replace(">","&gt;",$input));

                

        return(mysql_real_escape_string($input));

}



?>

Then we add another file... this file will look at that database, and grab all of the offending ip addresses, and create iptable rules:

Code:

#!/usr/local/bin/php



<?php

ini_set("display_errors", "1");

ini_set('max_execution_time', 0); 

ini_set('max_input_time', 0); 

set_time_limit(0);

error_reporting(E_ALL);



global $msg;

global $sysHost;

global $sysDb;

global $sysUser ;

global $sysPw;





//LOCAL CODE

$sysHost = "localhost";

$sysDb = "database";

$sysUser = "databaseuser";

$sysPw = "password";



LogError("Logged in as: " . system('whoami'), '', true);



//List IP Tables

LogError(system("iptables -L"), '', true);



//You can add many ips NOT to block here... this is mine, I would hate to get locked out!

$myIP = "'174.100.237.160'";

$conn = mysql_connect($sysHost, $sysUser, $sysPw, true) or die (LogError("writeiptables #25: ". mysql_error(), "DB Connect", false));        

$db = mysql_select_db($sysDb, $conn) or die (LogError("writeiptables #26: ". mysql_error(), "DB Select", false));



$sql = "SELECT DISTINCT ip FROM dynamiciptables WHERE ip NOT IN (".$myIP.") GROUP BY ip";

$result = mysql_query($sql, $conn) or die (LogError("writeiptables #29: ". mysql_error(), $sql, false));



if(mysql_num_rows($result) > 0)

{

        //Flush IP Tables

        LogError(system("iptables -F"), '', true);

        //Stop the service

        LogError(system("service iptables stop"), '', true);        

        

        while($dv = mysql_fetch_array($result))

        {

                LogError(system("iptables -A INPUT -s " . $dv['ip'] . " -j DROP"), '', true);

        }

        

        //a few more rules

        LogError(system("iptables -A INPUT -p tcp --dport ssh -j ACCEPT"), '', true);

        LogError(system("iptables -A INPUT -p tcp --dport 80 -j ACCEPT"), '', true);



        //Save 

        LogError(system("/sbin/service iptables save"), '', true);

        //Start

        LogError(system("service iptables start"), '', true);

        //Check Status

        LogError(system("service iptables status"), '', true);

}





function sanitize($input)

{

        if(get_magic_quotes_gpc())

                $input = stripslashes($input);

        //I found some instances of html being in the logs.

        if(strpos($input,"<") || strpos($input,">"))

                $input = str_replace("<","&lt;",str_replace(">","&gt;",$input));

                

        return(mysql_real_escape_string($input));

}



//This is an error handling function that I stripped out to just alert things to the console

function LogError($error, $sqlSys, $blnLog)        

{        

        echo $error . "\r\n";

}



LogError("\r\nScript Complete", '', true);

?>

Works perfectly on my production box. Use at your own risk! But let me know if you used it!

Run following command from root directory: [MODERATED]

Quote:

Originally Posted by MighteR8 (Post 4568656)

Run following command from root directory: [MODERATED]

Don't post BS like this! REPORTED

Oh hey Mark :)

Sorry I was gone for a few days, but it looks like unspawn managed to point you in the right direction :)

I may have a couple of solutions for you too if you want to contact me offlist at my email below.

Kindest regards,

.