The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server being hacked?

Discussion in 'General Discussion' started by ThaMATRiX, Oct 7, 2004.

  1. ThaMATRiX

    ThaMATRiX Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago
    Hi. In my LogWatch it shows this...

    How can I block those ips from the box completely? Thanks.
     
  2. cguimont

    cguimont Well-Known Member

    Joined:
    Jul 13, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    Brute Force Detection( bfd) from rfx networks
     
  3. ThaMATRiX

    ThaMATRiX Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago
    Sounds good, and its free, but do I need a already in place firewall for it to work with? Or does it handle everything? Thanks.
     
  4. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    You need to run APF (available from the same site) in order to run BFD.
     
  5. bullethost696

    bullethost696 Well-Known Member

    Joined:
    Nov 23, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England, UK
    I would run
    PHP:
    iptables -A INPUT -s 211.248.38.252 -j DROP
    just to block the ip from any more attempts then go about with securing your server
     
  6. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    BFD has issues with the script that adds teh ffff in front of the IP. Has this been fixed?
     
  7. GufyMike

    GufyMike Member

    Joined:
    Feb 9, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    easier add it to /etc/hosts.deny

    211.248.38.252:*


    Simpole yet effective.
     
  8. ThaMATRiX

    ThaMATRiX Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago
    Yes, has that been fixed?
     
  9. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Easier? Maybe.. Best solution? No.

    Why do things manually when they can be automated and taken care of immediately? BFD takes care of the issue as it is happening, not when some sysadmin finds and gets around to it.
     
  10. preleaf

    preleaf Well-Known Member

    Joined:
    Aug 25, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    my server is also attacang I try this do :
    root@host [~]# iptables -A INPUT -s 70.240.3.138 -j DROP
    bash: iptables: command not found
     
  11. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    Run following commands from ssh and paste the output.

    lsmod
    ie Determine the loaded modules

    modinfo ip_tables
    ie Determine if the iptables kernel module is installed on your system

    rpm -q iptables
    ie Determine if the iptables user-space package is installed on your system



    Anup
     
    #11 anup123, Oct 11, 2004
    Last edited: Oct 11, 2004
  12. ThaMATRiX

    ThaMATRiX Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago

    root@xeon1 [~]# lsmod
    Module Size Used by
    ipt_owner 7745 0
    ipt_REJECT 8897 0
    iptable_filter 6209 1
    ip_tables 18497 3 ipt_owner,ipt_REJECT,iptable_filter
    md5 7745 1
    ipv6 233701 28
    tg3 79045 0
    sg 33377 0
    scsi_mod 102025 1 sg
    microcode 10209 0
    dm_mod 49477 0
    ohci_hcd 22097 0
    button 8793 0
    battery 11085 0
    asus_acpi 13017 0
    ac 7373 0
    ext3 99497 4
    jbd 58457 1 ext3
    root@xeon1 [~]#

    root@xeon1 [~]# modinfo ip_tables
    license: GPL
    author: Netfilter Core Team <coreteam@netfilter.org>
    description: IPv4 packet filter
    vermagic: 2.6.8-1.521smp SMP 686 REGPARM 4KSTACKS gcc-3.3
    depends:
    root@xeon1 [~]#

    root@xeon1 [~]# rpm -q iptables
    iptables-1.2.9-2.3.1
    root@xeon1 [~]#
     
  13. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    What OS are you running?

    Try running using the full path to iptables or using 'su -' when su'ing to root.
     
  14. anup123

    anup123 Well-Known Member

    Joined:
    Mar 29, 2004
    Messages:
    897
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    This Planet
    ThaMATRiX : I think you should be able to use iptables command. check with iptables -L

    Actually that was for preleaf who was having error running that command and SarcNBit has already replied to the same. It's either iptables not being in path or not being there at all. SarcNBit suggestion would reveal furter details.

    Anup
     
  15. ThaMATRiX

    ThaMATRiX Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago
    Its Fedora Core 2
     
  16. greengiant

    greengiant Well-Known Member

    Joined:
    Aug 31, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    If you have any fedora core 2 server that are running Brute Force Detection (BFD), here is a modification to the ssh rule to stop it form adding ffff to APF's deny_hosts list. You have to add "| awk -F: '{print$4":"$5}'" to the end or ARG_VAL2. I finally found this solution after a long time searching the web. The ARG_VAL2 line in the ssh rules should look like this now.

    ARG_VAL2=`$TLOGP $LP $TLOG_TF.2 | grep sshd | grep -iwf $PATTERN_FILE | grep -w "for illegal" | awk '{print$13":"$11}' | awk -F: '{print$4":"$5}' >> $TMP/.sshd`


    The file you want to edit is /usr/local/bfd/rules/sshd
     
  17. ThaMATRiX

    ThaMATRiX Well-Known Member

    Joined:
    Feb 1, 2004
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago
    That file doesnt exist?
    Also, does this mean I already have APF? Do I just need to install the BFD?
     
  18. greengiant

    greengiant Well-Known Member

    Joined:
    Aug 31, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    You need to run APF (available from the same site) in order to run BFD.

    If you have installed bfd to a different location then you sill have to edit the ssd file that is in teh bfd rules directory. The default location for bfd to install is /usr/local/bfd
     
  19. preleaf

    preleaf Well-Known Member

    Joined:
    Aug 25, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    my OS is fedora
     
  20. preleaf

    preleaf Well-Known Member

    Joined:
    Aug 25, 2004
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    root@host [~]# lsmod
    Module Size Used by Not tainted
    ipt_mark 984 1 (autoclean)
    ipt_MARK 1368 13 (autoclean)
    ipt_TOS 1656 7 (autoclean)
    iptable_mangle 2776 1
    ip_conntrack_ftp 5392 0 (unused)
    ip_conntrack_irc 4240 0 (unused)
    ipt_unclean 8056 3
    ipt_REJECT 4344 4
    ipt_LOG 4344 8
    ipt_limit 1688 20
    iptable_filter 2412 1
    ipt_multiport 1176 4
    ipt_state 1016 19
    ip_conntrack 32168 2 [ip_conntrack_ftp ip_conntrack_irc ipt_state]
    ip_tables 16448 11 [ipt_mark ipt_MARK ipt_TOS iptable_mangle ipt_unclean ipt_REJECT ipt_LOG ipt_limit iptable_filter ipt_multiport ipt_state]
    autofs 13844 0 (autoclean) (unused)
    via-rhine 15888 1
    mii 4124 0 [via-rhine]
    crc32 3748 0 [via-rhine]
    sg 37580 0 (autoclean) (unused)
    scsi_mod 111092 1 (autoclean) [sg]
    ext3 74500 5 (autoclean)
    jbd 56624 5 (autoclean) [ext3]
    keybdev 3136 0 (unused)
    mousedev 5688 0 (unused)
    hid 24708 0 (unused)
    input 6144 0 [keybdev mousedev hid]
    ehci-hcd 21768 0 (unused)
    usb-uhci 27436 0 (unused)
    usbcore 82592 1 [hid ehci-hcd usb-uhci]
    root@host [~]# timed out waiting for input: auto-logout
    root@host [~]# su -
    root@host [~]# lsmod
    Module Size Used by Not tainted
    ipt_mark 984 1 (autoclean)
    ipt_MARK 1368 13 (autoclean)
    ipt_TOS 1656 7 (autoclean)
    iptable_mangle 2776 1
    ip_conntrack_ftp 5392 0 (unused)
    ip_conntrack_irc 4240 0 (unused)
    ipt_unclean 8056 3
    ipt_REJECT 4344 4
    ipt_LOG 4344 8
    ipt_limit 1688 20
    iptable_filter 2412 1
    ipt_multiport 1176 4
    ipt_state 1016 19
    ip_conntrack 32168 2 [ip_conntrack_ftp ip_conntrack_irc ipt_state]
    ip_tables 16448 11 [ipt_mark ipt_MARK ipt_TOS iptable_mangle ipt_unclean ipt_REJECT ipt_LOG ipt_limit iptable_filter ipt_multiport ipt_state]
    autofs 13844 0 (autoclean) (unused)
    via-rhine 15888 1
    mii 4124 0 [via-rhine]
    crc32 3748 0 [via-rhine]
    sg 37580 0 (autoclean) (unused)
    scsi_mod 111092 1 (autoclean) [sg]
    ext3 74500 5 (autoclean)
    jbd 56624 5 (autoclean) [ext3]
    keybdev 3136 0 (unused)
    mousedev 5688 0 (unused)
    hid 24708 0 (unused)
    input 6144 0 [keybdev mousedev hid]
    ehci-hcd 21768 0 (unused)
    usb-uhci 27436 0 (unused)
    usbcore 82592 1 [hid ehci-hcd usb-uhci]
    root@host [~]# modinfo ip_tables
    filename: /lib/modules/2.4.25/kernel/net/ipv4/netfilter/ip_tables.o
    description: <none>
    author: <none>
    license: "GPL"
    root@host [~]# rpm -q iptables
    iptables-1.2.9-1.0
     
Loading...

Share This Page