Fred Stluka on 24 Aug 2018 15:20:55 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Linux tip: Log IP addresses, not hostnames, for use by fail2ban...


Rich,

I don't want to simply block all of China (and North Korea, and
Russia, and Ukraine, and Venezuela, and India, and Brazil, and
Argentina, and Germany, and France, and the US, and all the
other countries that make daily attacks on my servers).

Also, I don't want to block the entire US just because of the
millions of US Windows PCs that are now part of botnets.
What's the point of a public web site if no one can get to it?
Fail2ban is much more selective, blocking only hackers.

I could firewall out all ports except 80 and 443, and I do that
on more sensitive servers.  But on one server, where I really have
nothing to lose, I like to see the attacks that are attempted, and
have fail2ban block them in real time.

It's a lightweight way to stay informed about common attack
vectors.  I get to see new patterns that hackers contrive.  Very
useful if I ever DO have to support a server that allows logins
from China, Russia, India, etc.  For example:
- They notice they are blocked by the default fail2ban setting
   of 3 failures in 10 minutes, so they drop to slightly less
   frequent.  I then configure fail2ban to block after 2 attempts
   in 10 minutes or 3 attempts in 15 minutes or something.
- They notice they are blocked for 10 minutes, so they try again
   after 10 minutes.  I configure fail2ban to block for a week
   instead of 10 minutes.  If I ever get blocked myself, I can
   always connect from another server and unblock via this
   script:
   - http://bristle.com/Tips/Unix/ipunblock_fail2ban

I've seen tons of Web URLs that show weaknesses in some
OS's, some web servers, and some web apps.  For example:
- Attempts to "open" the "web page":  ../../../cmd.exe
   Nice try, but I don't run Windows, and I don't allow my Web
   server to reach up out of its tree root.
- Attempts to exploit WordPress.  Based on the number of
   such attempts I see, WordPress must be hugely vulnerable,
   so I've always refused to run it.
- Attempts to break into MySQL via various Web-based, mostly
   PHP, GUI console apps.  Again huge numbers, so must have a
    bad rep.  I don't run them.  Just admin MySQL via the
    command line and allow no remote DB connections.

My logwatch emails should counts of which usernames are tried
most often.  So I get to see how those patterns evolve over time.
Usually lots of standard logins (root, apache, tomcat, etc.), plus
common US first names (tom, joe, mike, bob, etc.), plus various
variants of the domain name of the attacked server, etc.

On this server, which I treat as somewhat of a honeypot, I
detect all sorts of bad actors.  Then I typically block them
permanently via iptables on all the servers I administer.  Here's
my script to permanently block or unblock one or more IP's at
one server:
- http://bristle.com/Tips/Unix/ipblock

And here's the script to loop through all of my servers:
- http://bristle.com/Tips/Mac/Unix/ipblockall

It's interesting to watch the patterns of attacks over time.
Where they come from, what attack surfaces they try, what
usernames they use, etc.  Tells me a lot about the state of the
security world, and in some cases, world politics (backlash from
trade wars, our own cyber offensives, etc.)

Anyhow, thanks for the tip about Okean.  Looks like good stuff.
Any idea why they block only TCP ports, not UDP?

--Fred
------------------------------------------------------------------------
Fred Stluka -- Bristle Software, Inc. -- http://bristle.com
#DontBeATrump -- Make America Honorable Again!
------------------------------------------------------------------------

On 8/17/18 6:44 PM, Rich Kulawiec wrote:
On Fri, Aug 17, 2018 at 03:42:27PM -0400, Fred Stluka wrote:
As you may have noticed, there's been a massive upswing in hacking
attempts from China in the past couple weeks.?? My servers now get
hit an additional hundreds or thousands of times per day.?? You may
want to check your logs and beef up your security.
Why are you allowing network traffic from China to get anywhere near
your servers?  You should have permanently firewalled out the entire
country years ago, using the blocks carefully maintained here:

	Okean - The Goods
	https://www.okean.com/thegoods.html

Drop those into your configuration.  Update once a month.  And stop
fooling around with half-ass measures like fail2ban.

---rsk
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug