LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-24-2022, 02:03 PM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Rep: Reputation: 177Reputation: 177
iptables not blocking IP


I have a person/bot persistently trying to break into a website. For example, today:
Code:
COLS8: 2022-01-24 12:53:42 5.188.62.214 userId: [cnadmin] Member not found. Login Fail
COLS8: 2022-01-24 12:53:49 5.188.62.214 userId: [admin] Member not found. Login Fail
It probably is a bot because I have 34 attempted login over the past 3 days using the same invalid login id, all attempts occuring in pairs with the two IDs. I would hope a human would be smart enough to try something different.

Anyway, I believe I've blocked this IP with iptables, but the attempts keep coming in. I'm trying to figure out what I've done wrong with my iptables config. I have:
Code:
Chain INPUT (policy DROP 4081 packets, 195K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    3162K  181M ACCEPT     tcp  --  eth0   *       184.57.60.212        0.0.0.0/0            tcp dpt:12345
2    2067K  880M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3    13667  818K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4       15   872 checkcount  tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 flags:0x17/0x02
5       15   872 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 flags:0x17/0x02 limit: avg 1/sec burst 3
6    26649 1487K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 multiport dports 21,25,80,587,443,5900

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 71352 packets, 13M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain bad_people (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       5.188.62.0/24        0.0.0.0/0           
2        0     0 DROP       all  --  *      *       193.56.0.0/16        0.0.0.0/0           
3        0     0 DROP       all  --  *      *       173.211.0.0/16       0.0.0.0/0           
4        0     0 DROP       all  --  *      *       138.199.0.0/16       0.0.0.0/0           
:
:

Chain checkcount (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       15   872            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: DEFAULT side: source mask: 255.255.255.255
2        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: CHECK hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3       15   872 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logdrop (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "SSH Break-in attempt "
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
The offending IP is rule 1 in the bad_people chain: 5.188.62.0/24. The rule says to DROP all, in and out to any interface:
Code:
iptables -I bad_people -s 5.188.62.0/24 -j DROP
Can anyone see any problem, perhaps with other rules, that would cause this IP to be let through despite the rule?

Last edited by mfoley; 01-25-2022 at 07:05 AM.
 
Old 01-25-2022, 07:10 AM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 7,258
Blog Entries: 3

Rep: Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713Reputation: 3713
What is the output from iptables-save? That would be easier to read, but it looks like the packets are not reaching that chain from the INPUT chain.
 
1 members found this post helpful.
Old 01-25-2022, 03:57 PM   #3
PROBLEMCHYLD
Senior Member
 
Registered: Apr 2015
Posts: 1,201

Rep: Reputation: Disabled
I'm not sure if this will help but I have a DROP all policy and DROP at the end of the rules. As you can see in my screenshot, certain things will slip through.

Last edited by PROBLEMCHYLD; 03-15-2022 at 05:46 PM.
 
Old 01-26-2022, 11:26 AM   #4
KiaraKiwa
LQ Newbie
 
Registered: Jan 2022
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by mfoley View Post
I have a person/bot persistently trying to break into a website. For example, today:
Code:
COLS8: 2022-01-24 12:53:42 5.188.62.214 userId: [cnadmin] Member not found. Login Fail
COLS8: 2022-01-24 12:53:49 5.188.62.214 userId: [admin] Member not found. Login Fail
It probably is a bot because I have 34 attempted login over the past 3 days using the same invalid login id, all attempts occuring in pairs with the two IDs. I would hope a human would be smart enough to try something different.

Anyway, I believe I've blocked this IP with iptables, but the attempts keep coming in. I'm trying to figure out what I've done wrong with my iptables config. I have:
Code:
Chain INPUT (policy DROP 4081 packets, 195K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    3162K  181M ACCEPT     tcp  --  eth0   *       184.57.60.212        0.0.0.0/0            tcp dpt:12345
2    2067K  880M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
3    13667  818K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4       15   872 checkcount  tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 flags:0x17/0x02
5       15   872 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:12345 flags:0x17/0x02 limit: avg 1/sec burst 3
6    26649 1487K ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02 multiport dports 21,25,80,587,443,5900

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 71352 packets, 13M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain bad_people (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       all  --  *      *       5.188.62.0/24        0.0.0.0/0           
2        0     0 DROP       all  --  *      *       193.56.0.0/16        0.0.0.0/0           
3        0     0 DROP       all  --  *      *       173.211.0.0/16       0.0.0.0/0           
4        0     0 DROP       all  --  *      *       138.199.0.0/16       0.0.0.0/0           
:
:

Chain checkcount (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       15   872            all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: SET name: DEFAULT side: source mask: 255.255.255.255
2        0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            recent: CHECK hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3       15   872 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logdrop (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 6 prefix "SSH Break-in attempt "
2        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
The offending IP is rule 1 in the bad_people chain: 5.188.62.0/24. The rule says to DROP all, in and out to any interface:
Code:
iptables -I bad_people -s 5.188.62.0/24 -j DROP
Can anyone see any problem, perhaps with other rules, that would cause this IP to be let through despite the rule?
It keeps on changing.Maybe impossible to flag spam or?
 
Old 01-26-2022, 11:51 AM   #5
astrogeek
Moderator
 
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=15, FreeBSD_12{.0|.1}
Posts: 6,258
Blog Entries: 24

Rep: Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193Reputation: 4193
As Turbo points out, no packets are being sent to the bad_people chain so they are never being matched.

Try adding a rule at top of the INPUT chain which sends everything to bad_people ( -j bad_people ). You may also want to add an explicit RETURN at the bottom of bad_people so that you will get a count of all non-matching packets, but those will return by default.

But you will likely find that that list grows without bound and cannot be managed very well if the machine is internet facing. If that turns out to be the case you may need to consider another approach to the problem.
 
1 members found this post helpful.
Old 01-27-2022, 03:13 PM   #6
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 2,539

Original Poster
Rep: Reputation: 177Reputation: 177
Quote:
Originally Posted by astrogeek View Post
As Turbo points out, no packets are being sent to the bad_people chain so they are never being matched.

Try adding a rule at top of the INPUT chain which sends everything to bad_people ( -j bad_people ). You may also want to add an explicit RETURN at the bottom of bad_people so that you will get a count of all non-matching packets, but those will return by default.

But you will likely find that that list grows without bound and cannot be managed very well if the machine is internet facing. If that turns out to be the case you may need to consider another approach to the problem.
I believe I've got this fixed. I compared this computer's iptables with others upon which it was based and added the following commands:
Code:
    iptables -A INPUT -i eth0 -j bad_people
    iptables -A FORWARD -i eth0 -j bad_people
I believe this is what you and Turboocapitalist were suggesting. I monitored attempts with
Code:
tcpdump -tttt -l -Q in src 5.188.62.214
and have recorded 18 attempted connections in the past 16 hours, but no failed login attempts to the website. This hacker/bot was trying every couple of hours. I think the '-A INPUT' rule was what was missing (I don't really have anything configured for the FORWARD chain).

Thanks, I think that does it! Always great to have iptables experts available on LQ!
 
  


Reply

Tags
iptables firewall block


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
blocking socket Vs non-blocking socket barunparichha Linux - Software 2 04-02-2010 07:38 AM
blocking socket Vs non-blocking socket barunparichha Linux - Software 3 03-31-2010 10:15 PM
[SOLVED] C - For system calls, is blocking or non-blocking default? golmschenk Programming 4 03-23-2010 10:29 PM
[SOLVED] C - What's the difference between a blocking and a non-blocking call? golmschenk Programming 5 03-06-2010 06:45 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration