Thousands of failed root attempts - how to block?

[drhamad]

Some IP in Korea has attempted root access thousands of times (210.126.121.198)... how do I block this IP? Especially nice if I can send the IP a msg when it tries to connect.

 

[dalem]

BFD
http://rfxnetworks.com/bfd.php

It works in conjunction with apf firewall but can be modified to work with your /etc/hosts.deny file

 

[Rafaelfpviana]

Even better, check this out:

http://forums.theplanet.com/viewtopic.php?t=15178

A few of you may remember a few months back I started to learn Shell and Bash and made a script to automatically do some basic security things. Well lately, I have been puting some more time into it and here's what I came up with so far, although I usually add/edit a little something every once in a while to make it better (like all developers Smile ).

Updated: December 11, 2005
Current Version: 1.3.6

Anyway, here's what it does:
-Install RKHunter
-Install RKHunter Cronjob which emails a user-set email address nightly
-Install/update APF
-Import old APF rules in an upgrade
-Add SM/TP monitoring IPs (view information on these in Orbit)
-Install/update BFD
-Install CHKROOTKIT
-Install CHKROOTKIT Cronjob which emails a user-set email address nightly
-Disable Telnet
-Force SSH Protocol 2
-Secure /tmp
-Secure /var/tmp
-Secure /dev/shm
-Install/update Zend Optimizer
-Install/update eAccelerator
-MySQL 4.0 and 4.1 Configuration Optimization (cPanel only)
-Upgrade MySQL to 4.1 (cPanel only)
-Tweak WHM Settings for security and stability
-Configure RNDC if not already done (cPanel only)
-Change SSH port (also configure APF as necessary)
-Add wheel user and disable direct root login over SSH
-Optimize MySQL tables
-Install/update Libsafe
-Install/update ImageMagick (from latest source)
-Uninstall LAuS
-Harden sysctl.conf
-Install Chirpy's Free Exim Dictionary Attack ACL
And more!


You can also run it with the --updatesoftware option and it will automatically upgrade RKHunter, APF, and BFD to the latest version.

The downloaded tarballs of RKHunter, BFD, APF, and CHKROOTKIT are from my own repository, however they are unchanged from the original sites. You can confirm this with the MD5s if you wish.

RKHunter, APF, BFD, CHKROOTKIT, and other tarballs are checked for MD5 mismatches before extracting to ensure the downloads are not corrupted.

Better OS/binary checks are performed before any installing. If a necessary binary isn't present, it will stop before making any changes.

Backups of changed files are kept in /usr/local/els/bakfiles and all source files are are worked with in /usr/local/els/src to keep things more organized.

This script works best with Red Hat Enterprise Linux version 3 (Taroon Update 4 and 5) and with cPanel 10.x installed.

Please let me know if you have any problems with this script, or any additions you would like to see. I'm also not the best at coding so if you know how to code and you see a problem with it, please let me know.

You can download and execute this script by copying the following command:
Code:
wget --output-document=installer.sh http://nsonetworks.com/request.php?1; chmod +x installer.sh; sh installer.sh


The installer script will automatically download and check the md5sum of the tarball (which is only another 2 scripts), as well as make the /usr/local/els directory and subdirectories.

 

[kernow]

http://denyhosts.sourceforge.net/

 

[Infopro]

Be very careful with that rich gannon script. I've used it on a test rig and it does work, but as I recall it made a mess of a few files. I wouldn't try it out on a production server if you just want to peek.

 

[randomuser]

An alternate option would be to put sshd on a different port. vi /etc/ssh/sshd_config, change the port near the top, /etc/rc.d/init.d ssh restart and never deal with your logs filling up with garbage from brute force attempts again.

 

[chirpy]

That's what I'd recommend too - change SSH to a different port. Do also install APF+BFD for good protection, but most script kiddies pass you by if they don't find SSH on port 22 and don't bother scanning up for a different port - helps save on iptables entries too.

 

[JimboJ40]

I want to do this but would like to check which parts of apf do I add my chosen new port?

IG_TCP_CPORTS ?

EG_TCP_CPORTS ?

TOS_16 ?

or all of the above?

dont wanna lock myself out .... s
Thanks

 

[chirpy]

The most important is to add it to IG_TCP_CPORTS and then restart APF.

 

[jdstallings]

That's what I'd recommend too - change SSH to a different port. Do also install APF+BFD for good protection, but most script kiddies pass you by if they don't find SSH on port 22 and don't bother scanning up for a different port - helps save on iptables entries too.

Chirpy is not going to toot his own horn, but he has a GREAT FIREWALL that you can get from hist site. I know this is an OLD post, but for others reading it, go to his site at configserver and see CSF! He has gone over the edge in options and continues to make it better daily. We would also suggest his services

 

[jay1228]

I had the same issue, changing SSH port solved the issue. I also added lot of security features described in the list above.

 

[Shinichi Kato]

From APNIC

from APNIC IP list

ex. KR IP address uKR.txt(Attach Files)
ex. CN IP address uCN.txt(Attach Files)
ex. HK IP address uHK.txt(Attach Files)
ex. TW IP address uTW.txt(Attach Files)

 

[MaraBlue]

Chirpy is not going to toot his own horn, but he has a GREAT FIREWALL that you can get from hist site. I know this is an OLD post, but for others reading it, go to his site at configserver and see CSF! He has gone over the edge in options and continues to make it better daily. We would also suggest his services

I second this

I can configure CSF in a way that I never could with APF.

 

[Bennylovster]

The best thing to do is change the port from 22 to some thing else and also use SSH Keys Do this and your ssh will never get hacked or failed logins also once you have got logged in and understand how to use ssh keys then disable password authentication.

I hope this helps

 

[MaraBlue]

The best thing to do is change the port from 22 to some thing else and also use SSH Keys Do this and your ssh will never get hacked or failed logins also once you have got logged in and understand how to use ssh keys then disable password authentication.

I hope this helps

I've changed the SSH port and just doing that helped tremendously. My next step will be to set up the keys, that's a great suggestion.

 

[Rafaelfpviana]

from APNIC IP list

ex. KR IP address uKR.txt(Attach Files)
ex. CN IP address uCN.txt(Attach Files)
ex. HK IP address uHK.txt(Attach Files)
ex. TW IP address uTW.txt(Attach Files)

What IP list is this? What do you use it for? Where did you get it?

 

[brianoz]

What IP list is this? What do you use it for? Where did you get it?

You obviously missed the link (under "APNIC") - that's where he got it from!

 

[CompufixHosting]

I was having the same issue when I first brought my server online. I just removed port 22 (SSH) from the open ports list in CSF. Then I placed my ip in the allowed hosts lists. So the only people that can ssh into the server are the people with their ip in the allowed hosts list.

 

[brianoz]

That's actually a great, simple solution. Make sure you also allow your data centre to login though, and make sure you have a backup plan to gain access if you get blocked by CSF (unlikely since you're in the allow list).

To make it even more unlikely that you'd get blocked by csf accidentally, it's worth turning on the cool new csf RELAYHOSTS feature - just set it to 1 in the config file. It then won't block IPs belonging to authenticated users - ie your legitimate users. I take credit for suggesting the way this works to Chirpy but couldn't beleive he'd added it in under 24 hours! e By the way, this is an important enhancement as it saves support time - you won't get valid users getting blocked.