| Fred Stluka on 24 Aug 2018 15:20:55 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban... |
Rich, I don't want to simply block all of China (and North Korea, and Russia, and Ukraine, and Venezuela, and India, and Brazil, and Argentina, and Germany, and France, and the US, and all the other countries that make daily attacks on my servers). Also, I don't want to block the entire US just because of the millions of US Windows PCs that are now part of botnets. What's the point of a public web site if no one can get to it? Fail2ban is much more selective, blocking only hackers. I could firewall out all ports except 80 and 443, and I do that on more sensitive servers. But on one server, where I really have nothing to lose, I like to see the attacks that are attempted, and have fail2ban block them in real time. It's a lightweight way to stay informed about common attack vectors. I get to see new patterns that hackers contrive. Very useful if I ever DO have to support a server that allows logins from China, Russia, India, etc. For example: - They notice they are blocked by the default fail2ban setting of 3 failures in 10 minutes, so they drop to slightly less frequent. I then configure fail2ban to block after 2 attempts in 10 minutes or 3 attempts in 15 minutes or something. - They notice they are blocked for 10 minutes, so they try again after 10 minutes. I configure fail2ban to block for a week instead of 10 minutes. If I ever get blocked myself, I can always connect from another server and unblock via this script: - http://bristle.com/Tips/Unix/ipunblock_fail2ban I've seen tons of Web URLs that show weaknesses in some OS's, some web servers, and some web apps. For example: - Attempts to "open" the "web page": ../../../cmd.exe Nice try, but I don't run Windows, and I don't allow my Web server to reach up out of its tree root. - Attempts to exploit WordPress. Based on the number of such attempts I see, WordPress must be hugely vulnerable, so I've always refused to run it. - Attempts to break into MySQL via various Web-based, mostly PHP, GUI console apps. Again huge numbers, so must have a bad rep. I don't run them. Just admin MySQL via the command line and allow no remote DB connections. My logwatch emails should counts of which usernames are tried most often. So I get to see how those patterns evolve over time. Usually lots of standard logins (root, apache, tomcat, etc.), plus common US first names (tom, joe, mike, bob, etc.), plus various variants of the domain name of the attacked server, etc. On this server, which I treat as somewhat of a honeypot, I detect all sorts of bad actors. Then I typically block them permanently via iptables on all the servers I administer. Here's my script to permanently block or unblock one or more IP's at one server: - http://bristle.com/Tips/Unix/ipblock And here's the script to loop through all of my servers: - http://bristle.com/Tips/Mac/Unix/ipblockall It's interesting to watch the patterns of attacks over time. Where they come from, what attack surfaces they try, what usernames they use, etc. Tells me a lot about the state of the security world, and in some cases, world politics (backlash from trade wars, our own cyber offensives, etc.) Anyhow, thanks for the tip about Okean. Looks like good stuff. Any idea why they block only TCP ports, not UDP? --Fred ------------------------------------------------------------------------ Fred Stluka -- Bristle Software, Inc. -- http://bristle.com #DontBeATrump -- Make America Honorable Again! ------------------------------------------------------------------------ On 8/17/18 6:44 PM, Rich Kulawiec wrote:
On Fri, Aug 17, 2018 at 03:42:27PM -0400, Fred Stluka wrote:As you may have noticed, there's been a massive upswing in hacking attempts from China in the past couple weeks.?? My servers now get hit an additional hundreds or thousands of times per day.?? You may want to check your logs and beef up your security.Why are you allowing network traffic from China to get anywhere near your servers? You should have permanently firewalled out the entire country years ago, using the blocks carefully maintained here: Okean - The Goods https://www.okean.com/thegoods.html Drop those into your configuration. Update once a month. And stop fooling around with half-ass measures like fail2ban. ---rsk ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug