Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
Cheers,
Niki
Niki Kovacs wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
Cheers,
Try fail2ban from rpmforge.
fail2ban, thats a good one, gotta save that link.
try the gui to iptables;
On Oct 9, 2009, at 11:39 AM, Toby Bluhm wrote:
Niki Kovacs wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
Cheers,
Try fail2ban from rpmforge.
-- tkb _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Toby Bluhm wrote:
Niki Kovacs wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
Cheers,
Try fail2ban from rpmforge.
Also, if you're using the standard fw that ships with centos, you can stop entire blocks of IPs by manually inserting rules after iptables starts:
iptables -I RH-Firewall-1-INPUT 1 -s 1.2.3.4/24 -p tcp --dport 22 -j DROP
IP ranges by country: http://www.countryipblocks.net/country-blocks/select-formats/
The IP ranges will change from time to time, so you have to check often. You could script in a download from http://www.countryipblocks.net/continents/ to keep it current.
Like someone said, if you have to keep ssh open to the world, changing the port number will dramatically cut down on the attempts.
Toby Bluhm wrote:
Toby Bluhm wrote:
Niki Kovacs wrote:
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
<snip> Let me note that at work, the security group has a script set up that does it automagically, after so many attempts.
And every morning or two in the logs, I see attacks from China, or Mexico, or Spain, or Taiwan... but then, we are a well-known site.
mark, supporting the NIH
The best way to do it is with iptables. If you want something "more easily configurable" then some front end for it would be most useful. Webmin most likely provides a graphical interface to do it.
Adding rules to drop traffic from IPs or whole subnets is not that difficult if you have a basic understand of IPv4 networking.
There are some well documented examples on this page (including one to do what you're after): http://www.dd-wrt.com/wiki/index.php/Iptables_command#Examples
Regards, Oliver
On 12/10/2009, at 9:52 AM, mark wrote:
Toby Bluhm wrote:
Toby Bluhm wrote:
Niki Kovacs wrote:
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
<snip> Let me note that at work, the security group has a script set up that does it automagically, after so many attempts.
And every morning or two in the logs, I see attacks from China, or Mexico, or Spain, or Taiwan... but then, we are a well-known site.
mark, supporting the NIH
-- "The Pluto Files", Neil Degrasse Tyson. Pluto shall rise again! - whitroth _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
There is an iptables geoip module to allow you to specify countries. I never used it thought.
The advantage of denyhosts is that it not only bans addresses but also shares banned hosts with a network of a few thousands of installations (an opt-in option), so you are not on your own.
Moving ssh to a none standard port is the best thing you can do under the circumstances you describe, IMHO.
Another option might be to tar-pit attackers (using iptables) - that way you can slow down their traffic so hopefully they'll eat less of your bandwidth.
-Amos
On 10/10/09, Toby Bluhm tkb@alltechmedusa.com wrote:
Toby Bluhm wrote:
Niki Kovacs wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
Cheers,
Try fail2ban from rpmforge.
Also, if you're using the standard fw that ships with centos, you can stop entire blocks of IPs by manually inserting rules after iptables starts:
iptables -I RH-Firewall-1-INPUT 1 -s 1.2.3.4/24 -p tcp --dport 22 -j DROP
IP ranges by country: http://www.countryipblocks.net/country-blocks/select-formats/
The IP ranges will change from time to time, so you have to check often. You could script in a download from http://www.countryipblocks.net/continents/ to keep it current.
Like someone said, if you have to keep ssh open to the world, changing the port number will dramatically cut down on the attempts.
-- tkb _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Amos Shapira wrote:
There is an iptables geoip module to allow you to specify countries. I never used it thought.
I love linux, been using it for about 14 years but a good firewall it does not make..
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses [..] Tables can also be populated from text files containing a list of IP addresses and networks:
table <spammers> persist file "/etc/spammers"
block in on fxp0 from <spammers> to any [..] Tables can be manipulated on the fly by using pfctl(8). For instance, to add entries to the <spammers> table created above:
# pfctl -t spammers -T add 218.70.0.0/16"
--
Myself I'd be interested in seeing a iptables system running with 50,000 rules for matching against.
nate
On Mon, Oct 12, 2009 at 9:36 PM, nate centos@linuxpowered.net wrote:
Amos Shapira wrote:
There is an iptables geoip module to allow you to specify countries. I never used it thought.
I love linux, been using it for about 14 years but a good firewall it does not make..
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses [..] Tables can also be populated from text files containing a list of IP addresses and networks:
table <spammers> persist file "/etc/spammers"
block in on fxp0 from <spammers> to any [..] Tables can be manipulated on the fly by using pfctl(8). For instance, to add entries to the <spammers> table created above:
# pfctl -t spammers -T add 218.70.0.0/16"
--
Myself I'd be interested in seeing a iptables system running with 50,000 rules for matching against.
nate
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That's why i was recommending ipset earlier.
Removing my services from the standard ports, I saw a massive drop in these requests.
On Mon, Oct 12, 2009 at 5:01 PM, Lucian @ lastdot.org lucian@lastdot.orgwrote:
On Mon, Oct 12, 2009 at 9:36 PM, nate centos@linuxpowered.net wrote:
Amos Shapira wrote:
There is an iptables geoip module to allow you to specify countries. I never used it thought.
I love linux, been using it for about 14 years but a good firewall it does not make..
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group
of
addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses [..] Tables can also be populated from text files containing a list of IP addresses and networks:
table <spammers> persist file "/etc/spammers"
block in on fxp0 from <spammers> to any [..] Tables can be manipulated on the fly by using pfctl(8). For instance, to
add
entries to the <spammers> table created above:
# pfctl -t spammers -T add 218.70.0.0/16"
--
Myself I'd be interested in seeing a iptables system running with 50,000 rules for matching against.
nate
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
That's why i was recommending ipset earlier. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Toby Bluhm wrote:
Try fail2ban from rpmforge.
The main problem with fail2ban is that it's based on Python, so it takes a fair bit of memory. This isn't a big problem on a dedicated server or on a system with swap, but a lot of these attacks are made against shared servers or those running virtual machine schemes like OpenVZ, which don't allow swap, so you don't have enough memory to run something so heavy.
What I do on my VPS is periodically look at the logs and ban attackers by hand with this script, which I call iptdrop:
DROPFILE=/etc/network/iptables-drops if [ -n "$1" ] ; then iptables -I INPUT -s "$1" -j DROP echo $1 >> $DROPFILE else echo usage: $0 ipaddress echo exit 1 fi
Then in /etc/rc.local:
while read ip ; do iptables -I INPUT -s "$ip" -j DROP done < /etc/network/iptables-drops
That restores any bans on reboot.
After a week or three, I remove the IP from the list, on the theory that it might be some bot-infested PC behind DHCP, and so has probably moved on.
On Fri, 2009-10-09 at 20:35 +0200, Niki Kovacs wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
---- Suggest you move ssh to another port (i.e. high numbered)
but whether you do or do not move the port sshd listens on, you should install a package like denyhosts which after a specified number of attempts, locks them out completely.
Craig
On Fri, 09 Oct 2009 20:35:25 +0200 Niki Kovacs wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
man hosts.allow man hosts.deny
On Fri, Oct 09, 2009 at 08:35:25PM +0200, Niki Kovacs wrote:
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
I also use denyhosts. The memory footprint is not quite so bad for one host; mine is currently using 13m of resident memory, and a total of 92m of shared memory (from top). But I do see running hundreds of denyhosts processes could be a memory issue; perhaps it could be hacked to run on the main host and propagate its entries to the virtual hosts.
Anyway, the main issue with denyhosts, and even iptables, is that the traffic still comes over your line. If you have a slow link, the attacks are still going to eat your bandwidth, which can be frustrating. Apart from getting your ISP to block them at the other end, I don't know a good solution to this problem. (It is alleviated somewhat if the attackers realize they've been blocked and move on, so an iptables solution might be a bit better.)
--keith
On Fri, Oct 9, 2009 at 7:35 PM, Niki Kovacs contact@kikinovak.net wrote:
Hi,
I just set up a web server... and my bandwidth is being eaten by some chinese folks trying to brute-force-ssh their way into the machine.
Is there a simple way to banish either single IP addresses or, maybe even better, whole IP classes ? I know it's feasible with iptables, but is there something more easily configurable ?
Cheers,
Niki _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The best way is iptables. If you know you dont/wont have any relations within China/Taiwan/etc you could ban whole subnets. It would help to use ipset in conjunction with iptables, just for optimisation's sake :)
-
Amos Shapira -
aurfalien@gmail.com -
Craig White -
Frank Cox -
James Matthews -
Keith Keller -
Lucian @ lastdot.org -
mark -
nate -
Niki Kovacs -
Oliver Ransom -
Toby Bluhm -
Warren Young