The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking IP addresses that keep hammering?

Discussion in 'General Discussion' started by ryno267, Sep 1, 2004.

  1. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    In my LogWatch reports everyday - I continue to get the same two IP's that keep trying to log into an old demo account I had. I setup a demo account for the control panel and they somehow found it and used it for emailing... I stopped all that and eliminated the account, but they keep pinging my sever trying to get into that old account.

    Is there a way to completely block these IP's from my server so they don't even show up in the LogWatch anymore?
    Maybe you guys should ban these IP's too cause they are spammers.

    LogWatch:
    Code:
    --------------------- SSHD Begin ------------------------ 
    Failed logins from these:
       admin/password from 211.46.49.252: 2 Time(s)
       admin/password from 66.114.227.251: 6 Time(s)
       guest/password from 211.46.49.252: 1 Time(s)
       guest/password from 66.114.227.251: 3 Time(s)
       root/password from 211.46.49.252: 3 Time(s)
       root/password from 66.114.227.251: 9 Time(s)
       test/password from 211.46.49.252: 3 Time(s)
       test/password from 66.114.227.251: 6 Time(s)
       user/password from 211.46.49.252: 1 Time(s)
       user/password from 66.114.227.251: 3 Time(s)
    
    **Unmatched Entries**
    Illegal user test from 211.46.49.252
    Illegal user test from 211.46.49.252
    Illegal user guest from 211.46.49.252
    Illegal user admin from 211.46.49.252
    Illegal user admin from 211.46.49.252
    Illegal user user from 211.46.49.252
    Illegal user test from 211.46.49.252
    Illegal user test from 66.114.227.251
    Illegal user guest from 66.114.227.251
    Illegal user admin from 66.114.227.251
    Illegal user admin from 66.114.227.251
    Illegal user user from 66.114.227.251
    Illegal user test from 66.114.227.251
    Illegal user test from 66.114.227.251
    Illegal user guest from 66.114.227.251
    Illegal user admin from 66.114.227.251
    Illegal user admin from 66.114.227.251
    Illegal user user from 66.114.227.251
    Illegal user test from 66.114.227.251
    Illegal user test from 66.114.227.251
    Illegal user guest from 66.114.227.251
    Illegal user admin from 66.114.227.251
    Illegal user admin from 66.114.227.251
    Illegal user user from 66.114.227.251
    Illegal user test from 66.114.227.251
    ---------------------- SSHD End ------------------------- 
    
    thanks much guys!
     
  2. hostmoon

    hostmoon Well-Known Member

    Joined:
    Aug 4, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    #2 hostmoon, Sep 1, 2004
    Last edited: Sep 1, 2004
  3. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    You didn't say what OS you were running.

    If you are running iptables, you can enter:

    iptables -A INPUT -s <IP> -j DROP

    as root from a shell inserting the IP you want to block for <IP> and repeat as needed.
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    To block and IP in APF go to /etc/apf and pico deny_hosts.conf. Scroll down and add the IP addresses you need to block, each on a separate line. Comments with more details are in the file.

    http://www.webhostgear.com/61.html
     
  5. easyhttp

    easyhttp Active Member

    Joined:
    Dec 25, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Middle East - Jordan
    it's fairly useless because the IP's tend to change quickly or are compromisd hosts themselves.
     
  6. JamieH

    JamieH Member

    Joined:
    Aug 16, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    What i do

    Well what i do is (on red hat 9) is edit the /etc/hosts.allow and hosts.deny files

    I have it to where only me and techs can access ssh
     
  7. NovemberRain

    NovemberRain Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    İstanbul
    cPanel Access Level:
    Root Administrator
    Just change the ssh port to something else.
     
  8. easyhttp

    easyhttp Active Member

    Joined:
    Dec 25, 2003
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Middle East - Jordan
    maybe disabled all SHH access for a while would help
     
  9. Chew

    Chew Well-Known Member

    Joined:
    Dec 31, 2003
    Messages:
    96
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Maryland
    that's just what I did...

    Changed my port number, and now, haven't had a single login attempt for about a month now.

    Chew
     
  10. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    How do you change your ssh port number. And what else does that effect on the server?
     
  11. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    Hey ryno267,

    to block IPs from your server just log into root :

    and use this command
    root@server [~]# iptables -A INPUT -p tcp -s 67.111.75.70 -j DROP
    (or what ever other IP)


    And when you want to clear out the iptables, you will just issue:
    iptables -F or -D
     
  12. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    I get this error when trying to do that

    Code:
    root@host [/]# iptables -A INPUT -p tcp -s 211.46.49.252 -j DROP
    bash: iptables: command not found
    
     
  13. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    That command line was for RedHat9, what OS are you running ?
     
  14. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    I am not sure why you would limit it to TCP traffic (-p tcp). The post I made earlier would cover all traffic from a single IP.

     
  15. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    U r right SarcNBit :)
     
  16. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    I still get same error with those iptable commands SarcNBit...

    I'm running RedHat 9 i686 (what it says in my whm)

     
  17. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Do you have /sbin/iptables?

    What are the permissions on the file?
     
  18. ryno267

    ryno267 Well-Known Member

    Joined:
    Mar 3, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chandler, AZ
    cPanel Access Level:
    Root Administrator
    okay... THANKS for telling me where it was located

    cd /sbin/

    then

    root@host [/sbin]# ./iptables -A INPUT -s 211.46.49.252 -j DROP
    root@host [/sbin]# ./iptables -A INPUT -s 66.114.227.251 -j DROP
    root@host [/sbin]# ./iptables -A INPUT -s 80.254.111.178 -j DROP


    It seemed to work! woot...


    thanks... !
     
    #18 ryno267, Sep 3, 2004
    Last edited: Sep 13, 2004
  19. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Got the following from a post on one of the forums I visit. It seems to work quite well.
    ------------------------------------

    /sbin/route add -host 111.111.111.111 reject

    Whereas 111.111.111.111 is the origin ip.

    this will kill all incoming and outgoing connections from that IP.

    there is no file it's written to. it is kept in the kernel routing table
    (which is in memory).

    if you would like to save the information after rebooting, just add the commands
    to /etc/rc.d/rc.local and it will re-execute them when the server comes back online.
     
  20. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    You could always try 'locate iptables' ;)
     
Loading...

Share This Page