Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a person/bot persistently trying to break into a website. For example, today:
Code:
COLS8: 2022-01-24 12:53:42 5.188.62.214 userId: [cnadmin] Member not found. Login Fail
COLS8: 2022-01-24 12:53:49 5.188.62.214 userId: [admin] Member not found. Login Fail
It probably is a bot because I have 34 attempted login over the past 3 days using the same invalid login id, all attempts occuring in pairs with the two IDs. I would hope a human would be smart enough to try something different.
Anyway, I believe I've blocked this IP with iptables, but the attempts keep coming in. I'm trying to figure out what I've done wrong with my iptables config. I have:
Code:
Chain INPUT (policy DROP 4081 packets, 195K bytes)
num pkts bytes target prot opt in out source destination
1 3162K 181M ACCEPT tcp -- eth0 * 184.57.60.212 0.0.0.0/0 tcp dpt:12345
2 2067K 880M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 13667 818K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 15 872 checkcount tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 flags:0x17/0x02
5 15 872 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 flags:0x17/0x02 limit: avg 1/sec burst 3
6 26649 1487K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 multiport dports 21,25,80,587,443,5900
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 71352 packets, 13M bytes)
num pkts bytes target prot opt in out source destination
Chain bad_people (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 5.188.62.0/24 0.0.0.0/0
2 0 0 DROP all -- * * 193.56.0.0/16 0.0.0.0/0
3 0 0 DROP all -- * * 173.211.0.0/16 0.0.0.0/0
4 0 0 DROP all -- * * 138.199.0.0/16 0.0.0.0/0
:
:
Chain checkcount (1 references)
num pkts bytes target prot opt in out source destination
1 15 872 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: DEFAULT side: source mask: 255.255.255.255
2 0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3 15 872 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SSH Break-in attempt "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
The offending IP is rule 1 in the bad_people chain: 5.188.62.0/24. The rule says to DROP all, in and out to any interface:
Code:
iptables -I bad_people -s 5.188.62.0/24 -j DROP
Can anyone see any problem, perhaps with other rules, that would cause this IP to be let through despite the rule?
I'm not sure if this will help but I have a DROP all policy and DROP at the end of the rules. As you can see in my screenshot, certain things will slip through.
Last edited by PROBLEMCHYLD; 03-15-2022 at 05:46 PM.
I have a person/bot persistently trying to break into a website. For example, today:
Code:
COLS8: 2022-01-24 12:53:42 5.188.62.214 userId: [cnadmin] Member not found. Login Fail
COLS8: 2022-01-24 12:53:49 5.188.62.214 userId: [admin] Member not found. Login Fail
It probably is a bot because I have 34 attempted login over the past 3 days using the same invalid login id, all attempts occuring in pairs with the two IDs. I would hope a human would be smart enough to try something different.
Anyway, I believe I've blocked this IP with iptables, but the attempts keep coming in. I'm trying to figure out what I've done wrong with my iptables config. I have:
Code:
Chain INPUT (policy DROP 4081 packets, 195K bytes)
num pkts bytes target prot opt in out source destination
1 3162K 181M ACCEPT tcp -- eth0 * 184.57.60.212 0.0.0.0/0 tcp dpt:12345
2 2067K 880M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 13667 818K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4 15 872 checkcount tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 flags:0x17/0x02
5 15 872 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:12345 flags:0x17/0x02 limit: avg 1/sec burst 3
6 26649 1487K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 multiport dports 21,25,80,587,443,5900
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 71352 packets, 13M bytes)
num pkts bytes target prot opt in out source destination
Chain bad_people (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all -- * * 5.188.62.0/24 0.0.0.0/0
2 0 0 DROP all -- * * 193.56.0.0/16 0.0.0.0/0
3 0 0 DROP all -- * * 173.211.0.0/16 0.0.0.0/0
4 0 0 DROP all -- * * 138.199.0.0/16 0.0.0.0/0
:
:
Chain checkcount (1 references)
num pkts bytes target prot opt in out source destination
1 15 872 all -- * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: DEFAULT side: source mask: 255.255.255.255
2 0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/0 recent: CHECK hit_count: 12 name: DEFAULT side: source mask: 255.255.255.255
3 15 872 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain logdrop (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "SSH Break-in attempt "
2 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
The offending IP is rule 1 in the bad_people chain: 5.188.62.0/24. The rule says to DROP all, in and out to any interface:
Code:
iptables -I bad_people -s 5.188.62.0/24 -j DROP
Can anyone see any problem, perhaps with other rules, that would cause this IP to be let through despite the rule?
It keeps on changing.Maybe impossible to flag spam or?
As Turbo points out, no packets are being sent to the bad_people chain so they are never being matched.
Try adding a rule at top of the INPUT chain which sends everything to bad_people ( -j bad_people ). You may also want to add an explicit RETURN at the bottom of bad_people so that you will get a count of all non-matching packets, but those will return by default.
But you will likely find that that list grows without bound and cannot be managed very well if the machine is internet facing. If that turns out to be the case you may need to consider another approach to the problem.
As Turbo points out, no packets are being sent to the bad_people chain so they are never being matched.
Try adding a rule at top of the INPUT chain which sends everything to bad_people ( -j bad_people ). You may also want to add an explicit RETURN at the bottom of bad_people so that you will get a count of all non-matching packets, but those will return by default.
But you will likely find that that list grows without bound and cannot be managed very well if the machine is internet facing. If that turns out to be the case you may need to consider another approach to the problem.
I believe I've got this fixed. I compared this computer's iptables with others upon which it was based and added the following commands:
Code:
iptables -A INPUT -i eth0 -j bad_people
iptables -A FORWARD -i eth0 -j bad_people
I believe this is what you and Turboocapitalist were suggesting. I monitored attempts with
Code:
tcpdump -tttt -l -Q in src 5.188.62.214
and have recorded 18 attempted connections in the past 16 hours, but no failed login attempts to the website. This hacker/bot was trying every couple of hours. I think the '-A INPUT' rule was what was missing (I don't really have anything configured for the FORWARD chain).
Thanks, I think that does it! Always great to have iptables experts available on LQ!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.