Operating system: Centos 7.8
OS version:
Hi, need some guidance pls… some lowlife is tiredlessly trying to hack a website of mine… I am using F2b, FirewallD, Kerberos6 and Linux Firewall…
can any of these tools block an IP for good ? F2B is not kicking in because the websites firewall blocks the attack for some minutes before F2b kicks in … but I want to get rid of this a***ole for good
IP-Adress 5.188.62.140
IP-range: 5.188.62.*
Any help is much appreciated
THx Dan
Don’t block an IP address permanently since the attacker can easily continue his attack from a different one. How many IP addresses will you block? You cannot get rid of a hacker for good. He will find an alternative approach if you manually block his original one.
The default fail2ban settings make it difficult for an attacker to carry out a successful brute force attack because any IP address used by the attacker will get banned for a short while after 5 (if memory serves) unsuccessful login attempts. Then the IP address is automatically unbanned and a normal internet user who wishes to access your server from that IP can do so.
Fail2ban is the most effective way to thwart a brute force attack. It prevents attacks at a large scale and keeps the system ‘open’ in the true spirit of net neutrality and a free internet. You should configure your system to let fail2ban do what it is supposed to do rather than let any other system (in the website or wherever) preempt fail2ban.
An attacker will not be able to do much by brute force if his IPs get blocked for 5 min after 5 unsuccessful attempts so just let fail2ban do its job and you will be ok.
Typically this would not work for a web site available for all, but if you can narrow down you visitors to a specific range by IP or country, just ban all others by whitelisting them… There are lista with country ranges available, but as I said, it only works if you audience for the site is VERY limited.
I think I’d just drop this one.
Richard
HI guys, thank you so much!
My audience is not Rusiia, so I could ban them all…but I have no idea how to ban one IP or a whole country in f2b… can you guide me pls?
I could do that with the cphulk in cpanel, but recently moved to WM and now have f2b … which is still beyond me
Thank you so much
Dan
HI calport,
thank you… yes, I would have to block several IPs, this is just the most recent one.
Yes, the block is coming from a wordpress security plugin, obviously before f2b couild - if configured correctly - kick in.
This attacker is coming in on many IPs, and is put in the box over and over, but relentlessly tries again and again with a set of IPs.
I wanr to spit in his soup so to speak
But dont know how to block an IP for say a month.
THx
Dan
I don’t know about F2B yet either, but there are lists of relevant IP’s…
Russia: https://lite.ip2location.com/russian-federation-ip-address-ranges
you can get those in csv and “firewall” format, but i don’t know how the latter is applicable.
NOTE: Those ranges will probably change over time and will not help a lot against VPN services.
thx SecCon, much appreciated!
I’m using CSF and have firewalld disabled, so I don’t have access to the firewalld module in Webmin (other than a message telling me that the service isn’t running). But I’m guessing that the module has an option to add an IP address / range to the “drop” zone. That will instruct the firewall to simply drop the incoming connection with no response. That’s preferable to a block because (among other reasons) it wastes the intruder’s time.
If you’re unfamiliar with the command syntax for firewalld, doing it through Webmin would be a much better option. Bad things can happen if you make a mistake in the firewall configuration. Very bad things.
Richard
The easiest way to ban ip’s that keep getting banned for 10 minutes by fail2ban is enable the recidive jail. Set the delay to a day (86400) and block them for a week (604800) or longer.
This essentially means that if some ip get’s blocked 3x within a day it is banned for a week. Play with the variables if you want. Block less long if you are unsure. Ban them longer if you’re sure.
Does not help against botnets though. For that I block them using a blacklist text file with ranges with firelwalld ipset feature. You can also use that to block countries like Russia of China. Documentation here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld
I would love a feature in the webmin firewalld section where you can just add ip ranges to block that would have saved me some time learning the stuff.
Before I ban a range I always look up the geo location: https://www.iplocation.net/ip-lookup
HI Janderk, thank you so much…
" that keep getting banned for 10 minutes by fail2ban is enable the recidive jail. Set the delay to a day (86400) and block them for a week (604800) or longe"
Right now f2b is not picking up on these intruders at all, the apache-logs in f2b are empty… I understand that I have to somehow create a log with wordpress for f2b to be able to see attacks at all…
do you use wordpress ?
THx
Dan
Should have read that. Yes fail2ban uses logs. If you got Firewalld you could block them using a rich rule:
firewall-cmd --permanent --add-rich-rule=“rule family=‘ipv4’ source address=‘5.188.62.140/24’ reject”
firewall-cmd --reload
If you got more ip’s ipset is the way to go.
THanks Janderk!!!
Will try !
Currently one of my sites is getting a bot signing up, uploading content and spamming all my member’s private messages.
CloudFlare took care of it, luckily. I’m talking about hundreds of thousands of accounts.
This thread reminds me of why I still use CSF. It very handily does all the work that firewalld and fail2ban combined do, and then some.
The default configuration is sensible, but it can be customized as necessary for a particular use case. You can make it forgiving, heartless, both depending on recidivism, or anywhere in between.
It can block IP addresses or ranges automatically, manually, or programmatically; from the GUI, a terminal, or a script; temporarily, permanently, or temporarily-to-permanently; and it can trigger other, root-defined processes upon doing so, or upon rehabilitating the IPs.
In my own case, one of the things it does (via an external script) is populate a remote, ephemeral database of malicious IP addresses that generates text files that can be downloaded by other servers and firewalls. Multiple servers, numerous honeypots, and numerous failure scripts on public contact form spam filters also contribute to that database, which in turn is re-imported into CSF (and other firewalls that can import text-based blocklists) so all of the servers benefit from the data.
Anyone in the interwebs-connected world can download free, public versions of the blocklists if they like. They contain only the worst offenders’ IP addresses and are only updated once a day (I may change that soon to make them update more often), but they’re free.
https://www.rjmblocklist.com/free/badips.txt
https://www.rjmblocklist.com/free/webattack.txt
The philosophy behind those lists rests on rehabilitation by ephemerality. IP addresses that have behaved themselves are automatically removed between 72 and 96 hours following their most recent bad behavior, as reported (or not reported) by both CSF running on the servers or scripts running on the sites and honeypots. In a nutshell, if an IP is not observed misbehaving in that time period, it is rehabilitated. That avoids permanently banning an IP due to a temporary situation like a hack, breach, or malware infection, once it has been resolved.
Every IP that winds up on the list is also reported to AbuseIPDB in real time; so if you already use AbuseIPDB, you’re already benefiting from CSF’s work on my servers. This is my page on AbuseIPDB, by the way.
There would be more entries, but because the servers share their observations (as well as actions against the honeypots and web forms) with each other, IPs that act maliciously toward any one server or site are blocked by the rest, as well. That’s actually how this project began: I wanted an easy way for all my servers to share their events with each other. It just kind of morphed into a blocklist from there.
Of course, you can do all of this with firewalld and fail2ban if you want, but it would involve a heck of a lot more work. Not being one to reinvent the wheel, I let CSF do between 85 and 95 percent of the work. I wrote the honeypots, the web form failure scripts, the database scripts, and the scripts that interface with CSF. CSF itself does the rest and provides the great bulk of the malicious IP data.
Richard
Thx Richard, as always… I had my admin install csf and am back in my waters (used it on cpanel) like a fish !! and thanks for the lists!!! Am wowed…you coded the lists and the system of interoperation? wow!!
I also love that webmin has an interface for csf !! LOve this place!!
Thx
Dan
You’re welcome.
The scripting was actually pretty simple. I had to create one custom notification for SASL failures. The rest were already there. The coding was just a matter of grabbing the CSF / LFD notifications and using the the arguments to build triggers for database entries and AbuseIPDB notifications. Pretty basic stuff.
Richard
The way it basically works is that you build a script to be called on an event using CSF’s BLOCK_REPORT functionality. CSF will call that script whenever an IP is blocked, and you have the script assign the variables you need using the arguments in the output. I used PHP:
// Get arguments from CSF
$args = $argv;
$ip = $args[1];
$ports = $rports = $args[2];
$direction = $args[4];
$csf_message = $args[6];
$csf_log = $args[7];
$csf_trigger = $args[8];
// exclude your own servers from reports due to dumb user errors
if ($ip == "xxx.xxx.xxx.xxx" || $ip == "yyy.yyy.yyy.yyy" || $ip == "zzz.zzz.zzz.zzz") { die; }
// Translate CSF trigger statements to AbuseIPDB categories and comments
unset($categories);
if ($csf_trigger == "LF_SSHD") {
$categories = "18,22"; // AbuseIPDB categories for this kind of event
$comment = "Multiple failed SSH logins"; // Short description of event
}
From there it’s just a matter of inserting all the assigned variables into the database, and using curl to send an abbreviated report to AbuseIPDB if the IP hasn’t already been reported within the past 15 minutes. (AbuseIPDB doesn’t accept multiple reports of the same IP by the same use within 15 minutes.)
The AbuseIPDB report would be something like:
$data = (array(
"ip" => $ip,
"categories" => $categories,
"comment" => $comment
));
$headers = array('Key: the-user's-key-would-go-here', 'Accept: application/json');
$ch = curl_init("https://api.abuseipdb.com/api/v2/report");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1 ); // Set to 0 for testing to display response from AbuseIPDB
curl_setopt($ch, CURLOPT_POST, 1 );
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$output=curl_exec($ch);
curl_close($ch);
And that’s that. The rest of the variables would all be used for the benefit of the group of servers and to create the blocklists, and is standard PHP / MySQLi.
Richard
Hi Richard, thank you!
Wow, you know your way around (is that a good English idiom?)
Thank you very much, will try that on my server
THANKS a million
Dan
Thanks. The idiom is fine, and complimentary.
Some of the code is specialized to my situation, such as filtering the IP’s of the group of servers. It usually wouldn’t be necessary. Also, you may want to read this before starting, especially Section 15, although other sections are also relevant depending on how deep you want to dive into it.
Richard