I'm just curious if there's any policy on blocking at the router sites that are habitual hacking havens? I keep getting probed by various domains, often Chinese in origination.

Can these be blocked at the router?

Thanks,

Nancy

No, we don't block incoming traffic towards Linodes based on its source.

- Les

Nancy,
If you're suing a firewall like iptables you can block specific IP's (or ranges of IP's) yourself.


MSJ

I use a firewall, but the attacks from certain domains are so constant and the IP's change frequently. I wonder how much of my processing time/bandwidth is being used by these attacks or how my bloated iptables is slowing stuff down. They're getting very clever. Probing from one machine, move to another and probe again. I had 7 different probes from 7 different IP's, two different networks in the same domain.

**sigh**

What services are they targeting?

- Les

25, 22, 443, 80 (mod_proxy), random web addresses

Those are about the only ports I have open.

I have fail2ban running, so I'm constantly seeing new stuff getting banned. I have to leave some holes open for our clients, but I think I'm going to just hunker down and deny everything to everyone except a dozen or so addresses.

This is what had me asking about blocking at the router:

Connection attempts using mod_proxy:
111-241-41-23.dynamic.hinet.net -> mx2.mail2000.com.tw:25: 1 Time(s)
111-241-43-153.dynamic.hinet.net -> mta7.am0.yahoodns.net:25: 1 Time(s)
111-241-43-92.dynamic.hinet.net -> mx3.mail2000.com.tw:25: 1 Time(s)
111-241-45-208.dynamic.hinet.net -> mx2.mail2000.com.tw:25: 1 Time(s)
111-241-47-101.dynamic.hinet.net -> mx2.mail2000.com.tw:25: 1 Time(s)
61-228-17-81.dynamic.hinet.net -> mx2.mail2000.com.tw:25: 1 Time(s)
61-228-95-243.dynamic.hinet.net -> mx0.mail2000.com.tw:25: 1 Time(s)

Nancy,
One of my clients get 20k - 30k unauthorized login attempts per week (with all sorts of ridiculous user names). It is annoying, and it always makes me wonder if my passwords are secure enough, but in the end they are just unsophisticated attacks that were eating up my time trying to stop each IP address. I just make sure I use very strong passwords and change them regularly.

While fail2ban is not bullet proof, it is an extra layer of security. You can't stop them from trying - they are the mosquitoes of the internet.

Whitelisting will work for some protocols, but you can't really whitelist access to port 25 or 80.

CSF/LFD does offer country code blocking in a manner of speaking, but it slows things down and isn't perfect. Despite near constant brute force attempts from China I don't bother trying to block the whole country. For my LFD install I block an IP for 24 hours after just a couple of failed attempts for http auth, POP3/IMAP, or SMTP AUTH. That may be too draconian for you depending on what you're doing though. CSF's temp blocks will drop off after your preset time limit so you won't get bogged down by old firewall rules that never disappear. I don't know if f2b does this but I'd assume so.

Of course brute force attempts are just part of life on the Internet, particularly from China. The great firewall only goes in one direction, LOL.

Move SSH off port 22 and close the port; that will help. A lot of bots will try 22 and if they get nothing they'll just move on. As for mod_proxy, are you actually running mod_proxy? Once someone figures out you are running a proxy (assuming it was ever unsecured, even for a short time) you get on some lists that get passed around and people will try using your box for a long time. Nothing you can really do about it. If it's secured, your firewall should block them after some failed attempts to access it.

If you need to run a proxy, can you switch to SSH-based proxying? You could set up SSH with keypair auth on a non-standard port and a SOCKS proxy through PuTTY, etc.

No, I'm not even running mod_proxy. What is CSF/LFD?

We've got a lot of clients using SFTP to us, so moving the SSH port would be a bit of a pain, but that's not a bad idea.

I guess I'm being overly sensitive when I see 139 different blocked IP's in 24 hours in my ufw.log.

I'd like to do a scan of my host from an unallowed host, just to see what is open still. Does anyone have any suggestions for that? I know there web sites with scanners, but they're hard to use with a headless host.

CSF/LFD is the configserver firewall. Just a personal favorite. I haven't checked my logs in awhile. I know my firewall logs are full of blocks. Login attempts for various services, not as many because I'm locked down fairly tight. I wouldn't worry if they are just silly brute force attempts, unless your password is "12345".

When I want to test an unauthorized machine I tether my laptop to my phone and connect that way.

I block persistent abusers when I notice them or they show up in Fail2Ban on a regular basis. I use the following script so I can do it easily and get a log of what was blocked (and why).

The blocks are not persistent across reboots, but I use another script to save blocks that are then reloaded on reboot.

I do use a non-standard SSH port simply to make it easier to track who is having problems connecting and reduce the script kiddie noise.

#!/bin/bash
#  tempblock IPADDDRESS Comment
#  tempblock IPADDRESSS/CIDR Comment

LOGFILE='/var/log/tempdrop.log'
DATE=`date +"%Y-%m-%d %H:%M:%S"`

# Did we get a value?
if [ $# -eq 0 ]
then
   echo "$0 : Need To Provide IP or IP/CIDR to add temp drop"
exit 1
fi

echo 
echo "Temp Drop IP Block [$1] - $2"
echo "Adds temp drop for IP at the top of the chain"
echo "--------------------------------------------------------------"
echo CMD: iptables -I INPUT -s $1 -j DROP
/sbin/iptables -I INPUT -s $1 -j DROP
echo "$DATE DROP [$1] - $2" >> $LOGFILE

## End

Example: tempdrop 111.241.0.0/16 "TW Fake email Attempts"

_________________
Kevin a.k.a. Dweeber