[Linux] Firewall Rule or App?
Joey
linux@flux.org
Fri, 18 May 2007 08:46:02 -0400
This is a multipart message in MIME format.
------=_NextPart_000_0001_01C79928.F6DFEB80
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I remember a while back ago someone had a small script which would detect
someone trying to hack into a server and block them for a set period of time
automatically.
Does anyone have reference to this or the script?
Maybe we can do this via IP tables, but we just don't have the experience.
Currently when we physically see this type of activity:
May 18 08:33:53 venus vsftpd(pam_unix)[29390]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
May 18 08:33:54 venus vsftpd(pam_unix)[29393]: check pass; user unknown
May 18 08:33:54 venus vsftpd(pam_unix)[29393]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
May 18 08:33:55 venus vsftpd(pam_unix)[29395]: check pass; user unknown
May 18 08:33:55 venus vsftpd(pam_unix)[29395]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
May 18 08:33:55 venus vsftpd(pam_unix)[29388]: check pass; user unknown
May 18 08:33:55 venus vsftpd(pam_unix)[29388]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
May 18 08:33:56 venus vsftpd(pam_unix)[29379]: check pass; user unknown
We go and add an entry to a file which utilizes iptables and then reload
that file which executes:
iptables -t filter -A OUTPUT -d 60.13.190.54 -j LOG --log-prefix
HACK-BLOCK-1200
iptables -t filter -A OUTPUT -d 60.13.190.54 -j DROP
Resulting in stopping the hacker:
May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN= OUT=eth0 SRC=208.244.164.44
DST=60.13.190.54 LEN=74 TOS=0x00 PREC=0x00 TTL=64 ID=58286 DF PROTO=TCP
SPT=21 DPT=35075 WINDOW=1448 RES=0x00 ACK PSH URGP=0
May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN= OUT=eth0 SRC=208.244.165.58
DST=60.13.190.54 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=8969 DF PROTO=TCP
SPT=21 DPT=34306 WINDOW=1448 RES=0x00 ACK PSH URGP=0
May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN= OUT=eth0 SRC=208.244.165.58
DST=60.13.190.54 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=8971 DF PROTO=TCP
SPT=21 DPT=34306 WINDOW=1448 RES=0x00 ACK PSH FIN URGP=0
May 18 08:40:09 mars kernel: HACK-BLOCK-1200IN= OUT=eth0 SRC=208.244.165.49
DST=60.13.190.54 LEN=88 TOS=0x00 PREC=0x00 TTL=64 ID=2578 DF PROTO=TCP
SPT=21 DPT=49626 WINDOW=1448 RES=0x00 ACK PSH URGP=0
Any ideas would be appreciated.
Joey
------=_NextPart_000_0001_01C79928.F6DFEB80
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal>I remember a while back ago someone had a small =
script which
would detect someone trying to hack into a server and block them for a =
set
period of time automatically.<o:p></o:p></p>
<p class=3DMsoNormal>Does anyone have reference to this or the script? =
<o:p></o:p></p>
<p class=3DMsoNormal>Maybe we can do this via IP tables, but we just =
don’t
have the experience.<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Currently when we physically see this type of =
activity:<o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:53 venus vsftpd(pam_unix)[29390]:
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D =
rhost=3D60.13.190.54 <o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:54 venus vsftpd(pam_unix)[29393]: =
check pass;
user unknown<o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:54 venus vsftpd(pam_unix)[29393]: =
authentication
failure; logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D =
rhost=3D60.13.190.54 <o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:55 venus vsftpd(pam_unix)[29395]: =
check pass;
user unknown<o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:55 venus vsftpd(pam_unix)[29395]:
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D =
rhost=3D60.13.190.54 <o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:55 venus vsftpd(pam_unix)[29388]: =
check pass;
user unknown<o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:55 venus vsftpd(pam_unix)[29388]:
authentication failure; logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D =
rhost=3D60.13.190.54 <o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:33:56 venus vsftpd(pam_unix)[29379]: =
check pass;
user unknown<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>We go and add an entry to a file which utilizes =
iptables and
then reload that file which executes:<o:p></o:p></p>
<p class=3DMsoNormal>iptables -t filter -A OUTPUT -d 60.13.190.54 -j LOG
--log-prefix HACK-BLOCK-1200 <o:p></o:p></p>
<p class=3DMsoNormal>iptables -t filter -A OUTPUT -d 60.13.190.54 -j =
DROP<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Resulting in stopping the hacker:<o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN=3D =
OUT=3Deth0
SRC=3D208.244.164.44 DST=3D60.13.190.54 LEN=3D74 TOS=3D0x00 PREC=3D0x00 =
TTL=3D64 ID=3D58286
DF PROTO=3DTCP SPT=3D21 DPT=3D35075 WINDOW=3D1448 RES=3D0x00 ACK PSH =
URGP=3D0 <o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN=3D =
OUT=3Deth0
SRC=3D208.244.165.58 DST=3D60.13.190.54 LEN=3D88 TOS=3D0x00 PREC=3D0x00 =
TTL=3D64 ID=3D8969 DF
PROTO=3DTCP SPT=3D21 DPT=3D34306 WINDOW=3D1448 RES=3D0x00 ACK PSH =
URGP=3D0 <o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN=3D =
OUT=3Deth0
SRC=3D208.244.165.58 DST=3D60.13.190.54 LEN=3D88 TOS=3D0x00 PREC=3D0x00 =
TTL=3D64 ID=3D8971 DF
PROTO=3DTCP SPT=3D21 DPT=3D34306 WINDOW=3D1448 RES=3D0x00 ACK PSH FIN =
URGP=3D0 <o:p></o:p></p>
<p class=3DMsoNormal>May 18 08:40:09 mars kernel: HACK-BLOCK-1200IN=3D =
OUT=3Deth0
SRC=3D208.244.165.49 DST=3D60.13.190.54 LEN=3D88 TOS=3D0x00 PREC=3D0x00 =
TTL=3D64 ID=3D2578 DF
PROTO=3DTCP SPT=3D21 DPT=3D49626 WINDOW=3D1448 RES=3D0x00 ACK PSH =
URGP=3D0<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal>Any ideas would be =
appreciated…<o:p></o:p></p>
<p class=3DMsoNormal><br>
Joey<o:p></o:p></p>
<p class=3DMsoNormal><o:p> </o:p></p>
</div>
</body>
</html>
------=_NextPart_000_0001_01C79928.F6DFEB80--