cPanel Forums

ThaMATRiX · #1 (**permalink**) 10-07-2004, 10:38 PM

Hi. In my LogWatch it shows this...

Quote:

--------------------- SSHD Begin ------------------------

Failed logins from these:
adm/password from ::ffff:211.248.38.252: 6 Time(s)
admin/password from ::ffff:218.3.161.2: 11 Time(s)
apache/password from ::ffff:211.248.38.252: 3 Time(s)
cosmin/password from ::ffff:211.248.38.252: 3 Time(s)
cyrus/password from ::ffff:211.248.38.252: 7 Time(s)
guest/password from ::ffff:218.3.161.2: 8 Time(s)
horde/password from ::ffff:211.248.38.252: 7 Time(s)
iceuser/password from ::ffff:211.248.38.252: 8 Time(s)
irc/password from ::ffff:211.248.38.252: 6 Time(s)
jane/password from ::ffff:211.248.38.252: 3 Time(s)
matt/password from ::ffff:211.248.38.252: 5 Time(s)
mysql/password from ::ffff:211.248.38.252: 4 Time(s)
nobody/password from ::ffff:211.248.38.252: 9 Time(s)
operator/password from ::ffff:211.248.38.252: 3 Time(s)
pamela/password from ::ffff:211.248.38.252: 3 Time(s)
patrick/password from ::ffff:211.248.38.252: 16 Time(s)
rolo/password from ::ffff:211.248.38.252: 8 Time(s)
root/password from ::ffff:211.248.38.252: 120 Time(s)
root/password from ::ffff:218.3.161.2: 11 Time(s)
test/password from ::ffff:211.248.38.252: 16 Time(s)
test/password from ::ffff:218.3.161.2: 11 Time(s)
user/password from ::ffff:218.3.161.2: 4 Time(s)
www-data/password from ::ffff:211.248.38.252: 4 Time(s)
www/password from ::ffff:211.248.38.252: 7 Time(s)
wwwrun/password from ::ffff:211.248.38.252: 6 Time(s)

Illegal users from these:
admin/none from ::ffff:218.3.161.2: 11 Time(s)
admin/password from ::ffff:218.3.161.2: 11 Time(s)
apache/none from ::ffff:211.248.38.252: 3 Time(s)
apache/password from ::ffff:211.248.38.252: 3 Time(s)
cosmin/none from ::ffff:211.248.38.252: 3 Time(s)
cosmin/password from ::ffff:211.248.38.252: 3 Time(s)
cyrus/none from ::ffff:211.248.38.252: 7 Time(s)
cyrus/password from ::ffff:211.248.38.252: 7 Time(s)
guest/none from ::ffff:218.3.161.2: 8 Time(s)
guest/password from ::ffff:218.3.161.2: 8 Time(s)
horde/none from ::ffff:211.248.38.252: 7 Time(s)
horde/password from ::ffff:211.248.38.252: 7 Time(s)
iceuser/none from ::ffff:211.248.38.252: 8 Time(s)
iceuser/password from ::ffff:211.248.38.252: 8 Time(s)
irc/none from ::ffff:211.248.38.252: 6 Time(s)
irc/password from ::ffff:211.248.38.252: 6 Time(s)
jane/none from ::ffff:211.248.38.252: 3 Time(s)
jane/password from ::ffff:211.248.38.252: 3 Time(s)
matt/none from ::ffff:211.248.38.252: 5 Time(s)
matt/password from ::ffff:211.248.38.252: 5 Time(s)
pamela/none from ::ffff:211.248.38.252: 3 Time(s)
pamela/password from ::ffff:211.248.38.252: 3 Time(s)
rolo/none from ::ffff:211.248.38.252: 8 Time(s)
rolo/password from ::ffff:211.248.38.252: 8 Time(s)
test/none from ::ffff:211.248.38.252: 16 Time(s)
test/none from ::ffff:218.3.161.2: 11 Time(s)
test/password from ::ffff:211.248.38.252: 16 Time(s)
test/password from ::ffff:218.3.161.2: 11 Time(s)
user/none from ::ffff:218.3.161.2: 4 Time(s)
user/password from ::ffff:218.3.161.2: 4 Time(s)
www-data/none from ::ffff:211.248.38.252: 4 Time(s)
www-data/password from ::ffff:211.248.38.252: 4 Time(s)
www/none from ::ffff:211.248.38.252: 7 Time(s)
www/password from ::ffff:211.248.38.252: 7 Time(s)
wwwrun/none from ::ffff:211.248.38.252: 6 Time(s)
wwwrun/password from ::ffff:211.248.38.252: 6 Time(s)

---------------------- SSHD End -------------------------

How can I block those ips from the box completely? Thanks.

cguimont · #2 (**permalink**) 10-07-2004, 11:02 PM

Brute Force Detection( bfd) from rfx networks

ThaMATRiX · #3 (**permalink**) 10-07-2004, 11:14 PM

Sounds good, and its free, but do I need a already in place firewall for it to work with? Or does it handle everything? Thanks.

SarcNBit · #4 (**permalink**) 10-07-2004, 11:17 PM

You need to run APF (available from the same site) in order to run BFD.

bullethost696 · #5 (**permalink**) 10-08-2004, 07:32 PM

I would run

PHP Code:


			
iptables -A INPUT -s 211.248.38.252 -j DROP

just to block the ip from any more attempts then go about with securing your server

GOT · #6 (**permalink**) 10-08-2004, 07:47 PM

BFD has issues with the script that adds teh ffff in front of the IP. Has this been fixed?

GufyMike · #7 (**permalink**) 10-09-2004, 03:36 AM

easier add it to /etc/hosts.deny

211.248.38.252:*

Simpole yet effective.

ThaMATRiX · #8 (**permalink**) 10-09-2004, 09:21 AM

Quote:

Originally Posted by GotHosting

BFD has issues with the script that adds teh ffff in front of the IP. Has this been fixed?

Yes, has that been fixed?

dgbaker · #9 (**permalink**) 10-09-2004, 10:13 AM

Quote:

Originally Posted by GufyMike

easier add it to /etc/hosts.deny

211.248.38.252:*

Simpole yet effective.

Easier? Maybe.. Best solution? No.

Why do things manually when they can be automated and taken care of immediately? BFD takes care of the issue as it is happening, not when some sysadmin finds and gets around to it.

preleaf · #10 (**permalink**) 10-11-2004, 12:35 AM

my server is also attacang I try this do :
root@host [~]# iptables -A INPUT -s 70.240.3.138 -j DROP
bash: iptables: command not found

anup123 · #11 (**permalink**) 10-11-2004, 01:13 AM

Run following commands from ssh and paste the output.

lsmod
ie Determine the loaded modules

modinfo ip_tables
ie Determine if the iptables kernel module is installed on your system

rpm -q iptables
ie Determine if the iptables user-space package is installed on your system

Anup

ThaMATRiX · #12 (**permalink**) 10-11-2004, 10:48 AM

Quote:

Originally Posted by anup123

Run following commands from ssh and paste the output.

lsmod
ie Determine the loaded modules

modinfo ip_tables
ie Determine if the iptables kernel module is installed on your system

rpm -q iptables
ie Determine if the iptables user-space package is installed on your system

Anup

root@xeon1 [~]# lsmod
Module Size Used by
ipt_owner 7745 0
ipt_REJECT 8897 0
iptable_filter 6209 1
ip_tables 18497 3 ipt_owner,ipt_REJECT,iptable_filter
md5 7745 1
ipv6 233701 28
tg3 79045 0
sg 33377 0
scsi_mod 102025 1 sg
microcode 10209 0
dm_mod 49477 0
ohci_hcd 22097 0
button 8793 0
battery 11085 0
asus_acpi 13017 0
ac 7373 0
ext3 99497 4
jbd 58457 1 ext3
root@xeon1 [~]#

root@xeon1 [~]# modinfo ip_tables
license: GPL
author: Netfilter Core Team <coreteam@netfilter.org>
description: IPv4 packet filter
vermagic: 2.6.8-1.521smp SMP 686 REGPARM 4KSTACKS gcc-3.3
depends:
root@xeon1 [~]#

root@xeon1 [~]# rpm -q iptables
iptables-1.2.9-2.3.1
root@xeon1 [~]#

SarcNBit · #13 (**permalink**) 10-11-2004, 12:20 PM

Quote:

Originally Posted by preleaf

my server is also attacang I try this do :
root@host [~]# iptables -A INPUT -s 70.240.3.138 -j DROP
bash: iptables: command not found

What OS are you running?

Try running using the full path to iptables or using 'su -' when su'ing to root.

anup123 · #14 (**permalink**) 10-11-2004, 12:48 PM

ThaMATRiX : I think you should be able to use iptables command. check with iptables -L

Actually that was for preleaf who was having error running that command and SarcNBit has already replied to the same. It's either iptables not being in path or not being there at all. SarcNBit suggestion would reveal furter details.

Anup

ThaMATRiX · #15 (**permalink**) 10-11-2004, 02:21 PM

Its Fedora Core 2

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode