Brute force attacks

46 posts / 0 new
Last post
#1 Tue, 06/30/2009 - 02:21
Dim Git

Brute force attacks

Hi, some readers here will know that I am pretty inexperienced so I am very pleased to see a "Newbies" forum. Thanks for that.

Like many others I see brute force attacks on my server and so far, it seems that none have managed. Provided secure passwords are used and all other aspects of security are as they should be, I guess I should not be too worried. On the other hand I shouldn't be too complacent, particularly since I am a newbie.

I have seen in the logs (and via Logwatch) brute force attempts to gain access via SSH, POP3 and FTP.

I am happy that SSH is not a problem because access is barred from all but two IP numbers.

That leaves POP3 and FTP.

I think I would like to ban an IP number for, say 5 minutes after say, 3 incorrect login attempts.

I have dug around and cannot find anything built in in PAM, Pro-Ftp, Dovecot etc.

I have tried to learn about IP Tables but having a hard time knowing exactly what I should do and being aware that I could lock myself out. Add to that a lot of conflicting info on the web.

So I did some searching for alternatives. Fail2Ban sounds like the type of thing I am looking for.

If I install Fail2Ban, will that conflict with VM or WM ?

Has anybody got any better suggestions ?

Am I missing something ?

Apologies for continuing to harass you guys.

Thanks for reading.

Tue, 06/30/2009 - 07:37
ronald
ronald's picture

personally I am not a fan of banning IP's. Often the attacks are random and done by scripts and/or kiddies, also what if they are on temporary IP's? You'll ban an IP that might belong to a (potential) customer in the future.

I would sooner worry about scripts running under useraccounts that can be hacked, then use that account to gain more privileges (roundcube, per haps joomla and other popular scripts).

There are tools that can read logfiles, making it somewhat easier to go through them. Keeping close eyes on logfiles is important to find the persistent ones, then lock them out.

There is also a thread somewhere with advanced firewall rules you might be interested in. But I cant seem to find that thread anymore. It used drop before establishing.

Have good passwords, keep scripts up-to-date, read logs every day.

Tue, 06/30/2009 - 11:39 (Reply to #2)
jahlewis

OSSEC is an option for you. http://www.ossec.net/

I use it on my server, with active response enabled, which disables IP addresses that generate alerts like brute force alerts etc.

Wed, 07/01/2009 - 18:33
recci

I'm in the same boat as the Dim Git and have noticed brute force attacks already. All my passwards are 8 charchaters + in length and consist of random letters and numbers, different case etc so Id assume those are secure.

OSSEC looks interesting to me is it hard to setup and configure? Also does it require a lot of resources? I'm limited to 256mb of ram at the moment.

Thu, 07/02/2009 - 01:55
Dim Git

Thanks for your replies people.

I know this is somewhat off topic for this board and apologise. If this is a step too far, feel free to chastise me/tell me to go away (or similar). :-)

I am running Logwatch and check that daily, occasionally going into the logs themselves.

I am sure this topic has been discussed ad nauseum elsewhere and I don't wish to take this thread along the same lines, but here is my feeling as an inexperienced Dim Git. :-)

Assuming all other points, like scripts vulnerabilities (thanks Ronald) are covered and good passwords are used the system should be fairly safe.

There is always the possibility that a user might change their password to something less safe or even a seemingly safe password is not to safe.

By the time an intrusion is spotted in Logwatch, it has already happened and the damage may have already been done. Whereas an active detection and temporary ban of the IP number for maybe 5 minutes might help deter some. I guess I am looking at closing another potential route.

OSSEC looks like the sort of facility I need (thanks jahlewis) although does look to do much more than my initial requirements. I have been doing some reading, guess I need to do more because the www.ossec.net site has a number of broken links etc. which makes it difficult.

Installation does look like it is fairly straighforward but it also looks like there might be a lot of "tweaking" to be done. That is a point which I feel less competent about.

Many thanks for posting your responses, Google, here I come. :-)

Thu, 07/02/2009 - 09:08
andreychek

[cite]I know this is somewhat off topic for this board and apologise. If this is a step too far, feel free to chastise me/tell me to go away (or similar). :-)[/cite]

You should certainly feel free to talk about this stuff :-)

Nearly everyone here is into web hosting, and exchanging ideas on how security is handled is certainly both welcome and relevant.

Have a good one!

-Eric

Thu, 07/02/2009 - 09:39
recci

what are the log tools I should be using to make spotting intrusions and attacks easier?

Thu, 07/02/2009 - 10:17
ronald
ronald's picture

this thread: http://www.virtualmin.com/node/10338 contains a link to samhain (good for 1 or more server(s) and a link to loganalysis (many tools)

Thu, 07/02/2009 - 11:16
recci

What would be the most straightforward to use for the beginner ?

Thu, 07/02/2009 - 11:44
ronald
ronald's picture

I would probably go for Guard myself. It is written by a czech developer and the czech are often solid in whatever they produce. (not much english in there though)

but its a personal choice I guess. You can try out some of the stuff that is available and will work with you. But read the documentation very well though.

Sat, 07/04/2009 - 01:59
Dim Git

Thanks for all your replies guys, I really do appreciate your time.

I have read and Googled and then read some more and Googled some more. Jeeeez ! there is a lot of info out there. Many of the suggested solutions look as though they need more knowledge than I have and I cannot take the chance of messing up what is already running beautifully well.

I really do appreciate that the tools suggested by contributors to this thread are good for the job and I don't wish to make them feel that I have ignored their suggestions. I have learned a lot by reading as a result of those suggestions. But I am still stuck.

Sooo, I have reviewed my requirements.

The initial requirement was for a temporary block on IPs which were attempting a dictionary/brute force attack.

The second is that it has to be easy to install and maintain.

The third is that it must NOT give me the opportunity of messing up what I already have.

With those three things in mind I did some more Googling. And I came back to Fail2Ban again.

I came across the following page (http://badran-blog.blogspot.com/2008/08/fail2ban-centos.html) which suggests that it is a doddle to install.

Sooo, can anyone point me in the direction of a similar guide for any of those mentioned ?

Alternatively, will following the install on the link above conflict with WM or VM.

Thanks for putting up with me.

Sat, 07/04/2009 - 02:21 (Reply to #11)
Joe
Joe's picture

Alternatively, will following the install on the link above conflict with WM or VM.

I wouldn't think so.

--

Check out the forum guidelines!

Sat, 07/04/2009 - 06:08
ronald
ronald's picture

you may want to read up on a good tutorial http://www.linux.org/lessons/advanced/c277.html

Mon, 07/06/2009 - 01:18
Dim Git

Thanks Ronald, that is a very good site, well for me it is anyway.

I have had a fast read through many pages and will return for a more in depth study. It does have a fairly good (by the looks of it) instruction about installing Snort.

In passing, I liked the following :

"The root user is the dictator. What he or she permits, is allowed. What isn't allowed doesn't come up for debate. It's prohibited."

Sounds a lot like our Government (UK) "What isn't allowed doesn't come up for debate". LOL

Mon, 07/06/2009 - 08:12
Rogi

Hey Dim Git,

I use Fail2Ban (on Debian Lenny) and it doesn't conflict with Virtualmin. On Debian it's 'apt-get install fail2ban'. The default setup that it does itself should be good enough for you, it'll block SSH attempts after the 6th wrong password and lock 'em out for ten minutes.

Personally I edited the configuration file to make it email me on each ban (you just need to add your email address, the config file is well commented), and I changed the six attempts to just three, but I'm security mad. :) You don't actually need to change either of those things though.

If something goes wrong, don't blame me, but I really seriously doubt that anything will go wrong. I installed it originally on a great running system, was a relative newbie at the time and was just as concerned as you about screwing everything up, but it was dead simple.

As always, though, you should make a full backup before installing and/or altering stuff, but then you should always have full recent backups available anyway. If you haven't one day you will sorely wish that you had. ;)

Tue, 07/07/2009 - 09:25
miner

I enjoy using psad which reads logs from iptables rules and can catch port scans; and also OSSEC which monitors application logs. Both are capable of identifying and blocking miscreants for a configurable length of time. Their logs can be scanned manually or by script for persistent probers.

Both are easy to configure. As noted, psad requires iptables logs, and those are not easy to configure and monitor and refine.

Wed, 07/08/2009 - 11:05
recci

I'm actually getting the following error when trying to install Fail2Ban on Ubuntu.

The following packages have unmet dependencies:

fail2ban: Depends: python-central (>= 0.6.7) but it is not going to be installed E: Broken packages

Is this due to webmin/virtualmin or a Ubuntu issue?

Wed, 07/08/2009 - 11:05
recci

I'm actually getting the following error when trying to install Fail2Ban on Ubuntu.

The following packages have unmet dependencies:

fail2ban: Depends: python-central (>= 0.6.7) but it is not going to be installed E: Broken packages

Is this due to webmin/virtualmin or a Ubuntu issue?

Wed, 07/08/2009 - 12:08 (Reply to #18)
andreychek

It should be either, really ;-)

On my Ubuntu system (running Virtualmin), fail2ban installs cleanly.

With the above error, I'd guess that something is wrong with either the package you're installing, or with the Ubuntu mirrors you have setup.

Are you using any third party mirrors? And which Ubuntu version are you using?

If it helps, though, nothing about your Virtualmin setup should be causing that.

-Eric

Wed, 07/08/2009 - 12:30
recci

I solved it by using aptitude rather than apt-get. Apparently Ubuntu default install uses the wrong version of python.

Anything else that you no I should do to get Fail2ban working correctly in Ubuntu?

Wed, 07/08/2009 - 13:35
recci

should I be changing banaction from banaction = iptables-multiport to

banaction = hostsdeny

in Ubuntu.

Also it does seem to be working and blocking ssh when I try but I cant see the ban attempts in the fail2ban log and I added my email address to receive emails when a ban is made but no mails are coming in should I be changing MTA to mail as opposed to sendmail with a virtualmin setup?

Wed, 07/08/2009 - 19:15
recci

Fail2ban doesn't seem to work right in my version of Ubuntu, I got it installed but after a reboot it fails to start up again, its known bug and there was supposed to be a fix but I just couldn't get the right version installed or fix the issue myself.

However I did come across DenyHosts which is similar to failtoban but only blocks SSH this installed and worked without issue. All you have to do is add your own host/IP to the allowed hosts file and edit the config file to your preferences and that's it. The config file pretty much covers everything by default anyway so your pretty much good to go from the install.

What i didn't realise was that 1 failed login attempt in the config file means one ssh session which is 6 login attempts using putty. So if you set this to 5 in the conf file then that is 35 login attempts in total! So I just left it at default which is 1.

Also I couldn't get the report emails working for some reason but I got it sending them to root@localhost, How do I set up any mail going to the root mailbox in webmin to be forwarded to another address on the server?

Thu, 07/09/2009 - 11:04
ronald
ronald's picture

How do I set up any mail going to the root mailbox in webmin to be forwarded to another address on the server? I haven't done this actually, but logging in as root in usermin would allow you to set up the mail and forward I suppose

Thu, 07/09/2009 - 11:19 (Reply to #23)
andreychek

This is generally setup in /etc/aliases (and I'm sure is configurable by Webmin/Virtualmin, though I don't know where off the top of my head).

There's a line in the aliases file that reads:

root USER

Where "USER" is the user emails destined for root should go to. You can tweak that line, then just run "newaliases" when you're done.

-Eric

Wed, 07/15/2009 - 02:10
Dim Git

Sorry to drag this up again.

I have been a little too busy to devote much time to this subject but I'm now back "on the case".

Thanks for all the feedback, much appreciated. After an amount of reading, I have decided to have a go with Fail2Ban. Sounds like I can't mess it up, and I can understand it.

I figure that the safest method of installing anything is to use Yum. That is where it all goes wrong !

I have two servers using VM, one using PRO and the other I have been using as a sandpit is using GPL. Both were installed from fresh install of Centos 5.3, updated etc. I have changed nothing as far as I am aware on either.

If I search YUM from Webmin -> System -> Software Packages on the GPL version, I find Fail2Ban is available to install ( 0.8.2-3.el5.rf). If I do the same on the PRO version "No packages matching your search were found."

Obviously, it is the PRO server I want to install it on.

Any suggestions would be very welcome.

Thanks for reading.

Wed, 07/15/2009 - 08:28 (Reply to #25)
andreychek

Well, I'd be kind of surprised to learn that fail2ban were in the stock CentOS repositories; so I have a suspicion that one of your servers there has a repository enabled that the other does not.

I'd look at what repositories are setup on each box and compare the results.

As an aside, I do want to point out there you should be careful with third party repo's, they have the capability of conflicting with the Virtualmin repository :-)

Have a good one!

-Eric

Thu, 07/16/2009 - 06:06
Dim Git

You are, of course, correct Eric.

I thought the servers were identical. :( So that means I cannot rely on that.

I guess I will have to install from RPM.

I did a search using the Webmin software packages form for Fail2Ban.

Can anyone confirm that this one is the right choice please.

fail2ban-0.8.2-3.el5.rf.noarch.rpm DAG packages for Red Hat Linux el5 x86_64

If not, please suggest another or even another route. I am feeling a little unsafe at the moment.

I have another box running GPL version which is not working very well because I changed something I shouldn't have. If I wasn't running VM, I would feel a little safer trying things. How weird is that ?

Thanks for reading and sorry to be so annoying.

Thu, 07/16/2009 - 07:31 (Reply to #27)
andreychek

I don't have any experience with fail2ban, so I can't really offer much insight into where the best place to install it from would be.

I can, however, help you figure out where the copy of fail2ban on your one server came from :-)

If you type:

yum list | grep fail2ban

You'll see your fail2ban version, and the name of the repository it was installed from.

If it's working on the one server, you could always duplicate the setup onto your other one.

-Eric

Fri, 07/17/2009 - 18:14
mdtiberi

Dim Git:

You can try denyhosts (http://denyhosts.sourceforge.net/). It's simple to use and does the job. Another consideration is using Atomic Secured Linix (http://www.progllc.com/products/asl.html). I have been using it since my Plesk days and it installs denyhosts, grsecsurity and OSSEC. It's very nice and the ART forums are very helpful. I did have a few initial glitches with Webmin and ASL at install with clamav but other than that I have been running for months with no problems.

The only caveat is my distro is CentOS 5.3

Mon, 03/22/2010 - 02:03
fakemoth
fakemoth's picture

Now this is really annoying: everyone keeps saying that Fail2ban just works but in fact it doesn't on CentOS - for once I would like to find some linux piece of software that doesn't take a PhD to make it work :)

So I installed fail2ban from ATrpm fail2ban-0.8.4-24.el5 (first shorewall, it was a dependancy, but never run it), enabled the ssh and proftpd sections in jail.conf, modified for proftpd the path to /var/log/secure as I read and waited for those chinese IP's...

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=some@mail.ro, sender=fail2ban@mail.com]
logpath  = /var/log/secure
maxretry = 5

[proftpd-iptables]

enabled  = true
filter   = proftpd
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
           sendmail-whois[name=ProFTPD, dest=some@mail.ro]
logpath  = /var/log/secure
maxretry = 5

Everything seems fine except it does nothing. It starts, runs and sends the emails but that's all. Any ideeas?

Don't take the name of root in vain...

Mon, 03/22/2010 - 02:09
Dim Git

Sounds like you are in the same place I was.

I find that Fail2Ban works well, there are a few minor issues but ...

Back to getting it running.

if you run fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf you should get a report about how many matches there were in your logs. Do you get matches indicated in that report ? Pleas post any salient parts here.

I found this page quite helpful http://www.fail2ban.org/wiki/index.php/FAQ_english

For the moment, I would disable the proftpd jail and work on just the ssh one, then when the system is working, start on the FTP and any others you need.

I tried for ages to get this working but failed miserably, all seemed to be set up correctly but it just wouldn't ban. Until I did a reboot! Before you do that however, let's see if your setup is correct.

Please post the content of /etc/fail2ban/filter.d

Mon, 03/22/2010 - 02:21
fakemoth
fakemoth's picture

Thanks for your reply Dim Git, There are no matches, however ftp is the one that interests me; manually banned the hell out of the ssh attempts, and it seems I have no problems - FTP is another story:

- Number of matches:
   [1] 0 match(es)
   [2] 0 match(es)
   [3] 0 match(es)
   [4] 0 match(es)
   [5] 0 match(es)
   [6] 0 match(es)
   [7] 0 match(es)
   [8] 0 match(es)
   [9] 0 match(es)
   [10] 0 match(es)

I restarted the services and did a reboot, and googled about my problem. Nothing. /etc/fail2ban/filter.d/proftpd.conf, a very default one:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$
            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

Don't take the name of root in vain...

Mon, 03/22/2010 - 02:29
fakemoth
fakemoth's picture

Sry for not posting it before. After the reboot I got this:

fail2ban.actions.action: ERROR  iptables -N fail2ban-SSH iptables -A fail2ban-SSH -j RETURN iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 100

So i stoped ssh, I'd rather do something about the FTP first as I said, and set the logpath to /var/log/messages - no error for now. I will keep posting my results.

Don't take the name of root in vain...

Tue, 03/23/2010 - 01:57
Dim Git

Sorry, I can't help with the error message you are getting, outside my limited experience.

However, your jail.conf matches mine (for the ftp section anyway) but I have added another line to the /etc/fail2ban/filter.d/proftpd.conf file below the last regex, I have added :-

USER \S+: no such user found from \S* ?[(?:::f{4,6}:)?(?P\S+)] to \S+\s$ (\S[]) - USER \S+ (Login failed): Incorrect password. $

Where I got that line I can't remember, but it seems to work for me.

I would still recommend that you disable all other jails until you get the FTP one sorted.

It might be worth looking at the logs to see what the entries look like for attempts you think should have been caught and see why they differ from the regex lines you have. I am hopeless with regex but others on here might help.

My installation is covering : ssh, proftpd, sasl and dovecot. I tried the suggestions for alternatives suggested (above) but failed for one reason or another. Fail2Ban worked for me but needed quite a bit of fiddling, at least it was fiddling that didn't scare me.. I feel a lot safer. :o)

Good luck and let us know how you go.

Wed, 03/24/2010 - 02:22
fakemoth
fakemoth's picture

I switched back in jail.conf to /var/log/secure as it seems it "matches" the syntax. So this is how it looks in the log a ftp attempt:

Mar 24 06:21:51 ns1 proftpd[8097]: ns1.liq.ro (::ffff:211.103.155.49[::ffff:211.103.155.49]) - no such user 'tsinternetusers'
Mar 24 06:21:51 ns1 proftpd[8097]: ns1.liq.ro (::ffff:211.103.155.49[::ffff:211.103.155.49]) - USER tsinternetusers: no such user found from ::ffff:211.103.155.49 [::ffff:211.103.155.49] to ::ffff:86.125.xx.xx:21
Mar 24 06:21:51 ns1 proftpd[8097]: ns1.liq.ro (::ffff:211.103.155.49[::ffff:211.103.155.49]) - Maximum login attempts (3) exceeded
Mar 24 06:21:51 ns1 proftpd[8097]: ns1.liq.ro (::ffff:211.103.155.49[::ffff:211.103.155.49]) - FTP session closed.

and this is the rule in fail2ban's proftpd.conf:

failregex = \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$

It seems that it should match the second line from the secure log, but when I fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf it founds no matches!

Any ideas?

Don't take the name of root in vain...

Wed, 03/24/2010 - 03:25
fakemoth
fakemoth's picture

Pfff got something - it seems that the syntax in fail2ban's conf files is totally screwed up. Tried everything i could find on the web - and than by pure... inspiration in mixing the lines suggested by others (took about 2 weeks to find it though lol) and looking at the errors and the files I came upon this for CentOS 5.4 x64, proftpd 1.3.0, fail2ban-0.8.4:

  1. The path for the FTP section is as we all suspected /var/log/secure

  2. Comment everything in failregex area in the proftpd.conf file cause will do you no good and add only 1 line, so it should look like:

# Fail2Ban configuration file
#
# Author: Yaroslav Halchenko
#
# $Revision: 728 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = USER \S+: no such user found from \S* ?\[<HOST>\] to \S+\s*$
#            \(\S+\[<HOST>\]\)[: -]+ USER \S+: no such user found from \S+ \[\S+\] to \S+:\S+$
#            \(\S+\[<HOST>\]\)[: -]+ Maximum login attempts \(\d+\) exceeded$
#            \(\S+\[<HOST>\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password\.$
#            \(\S+\[<HOST>\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.$


# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
  1. Run the command fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf - in my case found 6849 per 1 day from a single IP - I think we all have better things to do with this kind of wasted resources :) I will wait to see an attacker in action vs my firewall.

  2. I will continue to post as I will try to refine everything - the main objective is to block automatically for certain aggresive IP's forever all the ports, but not very aggresive from my part; people do forget their passwords, u know ? :))

Don't take the name of root in vain...

Wed, 03/24/2010 - 03:40
Dim Git

Hmmm ! seems that while you were posting, I was typing. :-)

Apologies, the test you have to run now is

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/proftpd.conf

That specifies "secure" log and "proftpd.conf" regex.

Also, in /etc/fail2ban/jail.conf there is a line above the regex's for "backend".

I do remember changing this a couple of times. Mine is set to "auto", is yours ?

One other thing which I don't know will cause any problems is that in your /etc/fail2ban/filter.d/proftpd.conf you have set "maxretry = 5" and the log entry shows "Maximum login attempts (3) exceeded". That shouldn't stop the regex test showing matches but if the attacker never gets above 3 attempts it might stop Fail2Ban ever reaching the threshold of 5 (depends upon the ban times you have set).

Wed, 03/24/2010 - 04:05
fakemoth
fakemoth's picture

Got the part with the fail2ban-regex command when i said I was going to ignore SSH for now. The main problem was that it didn't fin matches in the logfiles, so as posted while you were typing :) it had something to do with the syntax in the .conf files.

I will keep an eye on the thingy to see if it works and post back ;)

Don't take the name of root in vain...

Wed, 03/24/2010 - 09:30
fakemoth
fakemoth's picture

Yeap now works. It took exactly 5 hits in the log to get them banned (auto, btw, is my setting too). Here is the e-mail:

Hi,

The IP 60.217.229.228 has just been banned by Fail2Ban after 5 attempts against ProFTPD.

Here are more information about 60.217.229.228:

[Querying whois.apnic.net] [whois.apnic.net] % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 60.208.0.0 - 60.217.255.255 netname: UNICOM-SD descr: China Unicom Shandong province network descr: China Unicom country: CN admin-c: CH1302-AP tech-c: XZ14-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-SD mnt-routes: MAINT-CNCGROUP-RR status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed@apnic.net 20040705 changed: hm-changed@apnic.net 20060125 changed: hm-changed@apnic.net 20090508 source: APNIC

route: 60.216.0.0/15 descr: CNC Group CHINA169 Shandong Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060118 source: APNIC

person: ChinaUnicom Hostmaster nic-hdl: CH1302-AP e-mail: abuse@chinaunicom.cn address: No.21,Jin-Rong Street address: Beijing,100140 address: P.R.China phone: +86-10-66259940 fax-no: +86-10-66259764 country: CN changed: abuse@chinaunicom.cn 20090408 mnt-by: MAINT-CNCGROUP source: APNIC

person: XIAOFENG ZHANG nic-hdl: XZ14-AP e-mail: ip@pub.sd.cninfo.net address: Jinan,Shandong P.R China phone: +86-531-6666666 fax-no: +86-531-6666666 country: CN changed: ip@sdinfo.net 20050330 mnt-by: MAINT-ZXF source: APNIC

Regards,

Fail2Ban

Now i only have to figure out some lines for the really annoying IPs > permanent bans. So - thank you Fail2Ban - and thanks to all the posters!

Don't take the name of root in vain...

Thu, 03/25/2010 - 02:55
Dim Git

Personally, I'm not keen on permanent bans but here is something I've been thinking about but not actually got around to doing/attempting.

Each time Fail2ban bans an IP, it gets logged in the Fail2Ban log.

Fail2Ban works by watching for a regex match in whichever log you instruct it to.

Do you see where this is going ?

Those attackers who set up a script and walk away get unbanned after 10 mins (or whatever period you have set). That gives him 3 attempts every 10 mins.

If Fail2Ban is set up to watch it's own logs it can place a long term ban on an IP. For instance, three times banned by Fail2Ban, IP number banned for 7 days.

Cool idea ?

Thu, 03/25/2010 - 03:38
fakemoth
fakemoth's picture

Cool idea! I will try to implement something like this as soon as I solve some mail problems. Fortunately Webmin/Usermin takes care of webmail part :)

Don't take the name of root in vain...

Fri, 03/26/2010 - 02:05
Dim Git

It would be nice if you could let me know how you get on with that please. As you have read/realised, I'm not too good at this stuff.

It would also be nice, I think, if Fail2Ban could be added to VM.

Fri, 03/26/2010 - 03:02
fakemoth
fakemoth's picture

I'll keep posting the results. Neither am I - only very stubborn :)

Please post here in the Blue Skies section https://www.virtualmin.com/node/13841 only one voice I don't think can get noticed soon.

Don't take the name of root in vain...

Sun, 03/28/2010 - 20:21
sgrayban

debian uses denyhosts if anyone wants to know - apt-get install denyhosts

conf -> /etc/denyhosts.conf

Wed, 04/28/2010 - 07:23
fakemoth
fakemoth's picture

Back again with more good news now regarding Dovecot. It seems that for CentOS at least all the config files are messed up, many of those found on the web even breaking fail2ban. And now i got a major problem with the e-mail part, lot of authentication failures in the logs... solved :)

For the Dovecot part I did this:

  • create a new dovecot.conf with:
[Definition]

failregex = dovecot-auth: pam_unix\(dovecot:auth\): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
ignoreregex =
  • adding to jail.conf:
[dovecot-iptables]
enabled = true
filter = dovecot
action = iptables-multiport[name=Dovecot, port="110,995,143,993", protocol=tcp]
sendmail-whois[name=Dovecot, dest=your@mail.ro]
logpath = /var/log/secure
bantime  = 60
maxretry = 5

The test /usr/bin/fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/dovecot.conf revealed:

Failregex
|- Regular expressions:
|  [1] dovecot-auth: pam_unix\(dovecot:auth\): authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
|
`- Number of matches:
   [1] 12425 match(es)

Now I will wait to see those IP's in action ;) and then I will replicate it on my second server. It should work, in my experience if the test is successful Fail2Ban never... fails lol

Don't take the name of root in vain...

Wed, 04/28/2010 - 07:21
Blueforce

Hi guys!

Here are a few nice things to do in your firewall to get rid of lot of brute force attacks. I have used them for many years. I saw in the thread that someone was looking for this, I think anyway, I posted this in the forum years ago and only parts of my original post managed to survive Virtualmins webpage updates over the years. So, here it comes again if someone is interested.

First of all I have set the "MaxAuthTries" to 2, which gives me only three tries to get the password right.
If i connect to SSH and try to log in with incorrect user or password i get disconnected, if I then try to restart the session the iptables settings have dropped my IP for the preferred time, in my case I use 300 sec. I now have to wait these seconds until I'm able to start a new session from the same IP. And even if I just start a SSH session without trying to log in and close it, my IP gets dropped for the preferred time.

Make sure that these rules is in this order, and if you have an existing rule for port 22 and want to keep it these has to go before. These rules will have NO effect if you have a ACCEPT for port 22 in front of these. You have to change the xxx.xxx.xxx.xxx to your server IP.

Rule 1 ------------------------------------------------------------------------------
From command line:
iptables -A RH-Firewall-1-INPUT -d xxx.xxx.xxx.xxx -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT

From Webmin:
Action to take: Accept
Destination address or network: Equals xxx.xxx.xxx.xxx
Network protocol: Equals TCP
TCP flags set: Does not equal (First row) SYN
TCP flags set: Does not equal (Second row) SYN ACK RST

Rule 2 ------------------------------------------------------------------------------
From command line:
iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 300 --name DEFAULT --rsource -j DROP

From Webmin:
Action to take: Drop
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --update --seconds 300 --name DEFAULT --rsource

Rule 3 ------------------------------------------------------------------------------
From command line:
iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name DEFAULT --rsource -j ACCEPT

From Webmin:
Action to take: Accept
Incoming interface: Equals eth0
Network protocol: Equals TCP
Destination TCP or UDP port: Port(s) 22
Connection states: Equals New connection(NEW)
Additional IPtables modules: recent
Additional parameters: --set --name DEFAULT --rsource

Regards,
Leif (Blueforce)

Topic locked