[lug] Attacks Intensifying

Daniel Webb lists at danielwebb.us
Thu Oct 28 12:36:29 MDT 2004 

On Thu, Oct 28, 2004 at 10:56:47AM -0600, Jani Averbach wrote:

> Seriously, I have planned and sketched a system where we have a
> (sshd/httpd) log analyzator, SQL database and firewall which is
> updated based on incoming log in attempts. It also uses a white list
> to ensure that you could log in, even if you have mistyped your
> password.
> 
> Unfortunately I don't have anything really working at the moment.
> 
> Do you know if there is something similar already done?

I created a simple hacked-together system a few months ago when all this
started that auto-bans all the guys doing this.  It's part of my overall
firewall script, so I'll just include the relevant parts of the firewall
script, and attach the script that bans new attackers and and the current ban
list.  It just searches the syslog file and bans IPs that have too many failed
attempts by adding the IP to a list in a file.  You'll have to customize it
for your system, but it should allow you to do what you're talking about with
little effort.  A SQL database seems overboard, since I have 311 banned IPs
for several months worth of collecting, but maybe you're getting attacked more
than I am.

(part of my firewall script):

-----
# Deny packets from banned IPs to SSH
# (see /root/script/firewall/generate-banned-ips)
#
[ ! -f $FIREWALL_DIR/banned-ips ] && echo "can't find $FIREWALL_DIR/banned-ips"
echo "Denying SSH to:"
for f in $(cat $FIREWALL_DIR/banned-ips); do
    echo -n "$f "
    $IPTABLES -A INPUT -p TCP -i $INET_IFACE -s $f \
        --destination-port 22 -j REJECT
done
-----

Daniel
-------------- next part --------------
#!/bin/sh
#
# Generate a list of banned IPs by looking in the log files
# Put the banned list in /root/scripts/firewall so the firewall scripts can
# use it.

TF=$(mktemp)
ADD=$(mktemp)
BANS=/root/scripts/firewall/banned-ips
touch $BANS

# Ban on one attempt at "test" account
cat /var/log/auth.log | grep "Failed password for test from" \
    | nice perl -p -e 's/.* ((\d{1,3}\.){3}\d{1,3}).*/$1/' \
    >> $TF

# Add lines that start with "Failed password for root from"
# pull the IP from those lines
# Uniqify and Prepend a count of the number of each IP
# Remove IPs that have 3 or less failures
# Remove the prepended count from the rest
cat /var/log/auth.log | nice grep "Failed password for root from" \
    | perl -p -e 's/.* ((\d{1,3}\.){3}\d{1,3}).*/$1/' \
    | sort | uniq --count \
    | egrep -v '[[:space:]]1[[:space:]]' \
    | egrep -v '[[:space:]]2[[:space:]]' \
    | egrep -v '[[:space:]]3[[:space:]]' \
    | perl -p -e 's/\s+\d+\s+(.*)/$1/' \
    >> $TF

cat $TF | sort | uniq > $ADD
NEW=$(cat $ADD $BANS $BANS | sort | uniq --unique)
if [ ! -z "$NEW" ]; then
    echo "Adding new IPs to ban list:"
    echo $NEW
    # Load new firewall
    ./rc.firewall >/dev/null
fi

# Uniqify the final ban list
cat $BANS $ADD | sort | uniq > $TF
cat $TF > $BANS

rm -f $TF
rm -f $ADD
-------------- next part --------------
12.181.128.5
128.121.10.3
128.123.180.84
128.138.202.97
128.146.169.135
128.164.159.98
128.19.10.214
129.49.26.126
130.101.10.1
130.104.190.198
133.87.72.94
134.174.176.76
134.21.2.227
140.109.82.84
140.110.17.105
140.115.238.251
140.115.34.200
140.116.179.34
140.122.85.152
140.127.198.65
140.130.177.203
140.135.112.177
140.160.136.46
143.107.203.154
143.107.228.251
143.248.139.221
143.248.52.68
145.253.90.115
147.162.146.203
147.46.116.99
147.46.22.130
148.208.179.3
150.164.12.158
150.187.25.11
159.226.50.10
159.226.71.40
160.129.116.189
161.116.73.218
163.180.116.239
163.19.115.8
163.21.48.101
163.25.65.3
163.26.93.226
163.30.167.9
164.125.104.82
164.77.202.91
165.229.193.163
168.126.168.12
168.131.93.119
168.179.113.141
168.26.194.105
192.116.15.136
192.217.137.2
193.19.160.12
193.194.80.194
193.91.69.196
194.78.243.110
194.90.91.41
195.13.223.66
195.182.228.9
195.188.18.219
195.227.113.99
195.235.100.122
195.5.28.73
196.44.6.33
198.144.42.68
200.153.74.133
200.181.46.200
200.204.175.23
200.206.182.38
200.33.20.234
200.75.146.149
200.76.49.243
200.80.220.100
200.87.53.130
202.109.73.115
202.123.169.217
202.124.145.22
202.129.46.156
202.129.59.150
202.142.122.14
202.145.62.77
202.163.126.5
202.181.212.142
202.194.7.245
202.64.28.81
202.65.195.35
202.66.8.210
202.71.148.180
202.81.160.121
203.115.96.151
203.138.138.66
203.146.102.54
203.155.49.67
203.157.44.195
203.172.67.151
203.195.178.67
203.195.183.10
203.198.72.210
203.227.204.26
203.227.204.32
203.227.204.8
203.236.213.126
203.237.140.225
203.251.69.201
203.69.226.242
203.75.73.211
203.85.183.10
203.86.72.243
203.98.166.25
204.210.78.177
204.210.79.82
205.133.198.31
205.209.132.190
205.209.141.50
205.209.168.10
205.209.168.30
205.209.174.70
205.237.246.164
206.245.188.8
207.36.86.225
207.44.208.42
208.186.255.1
209.174.152.151
209.208.103.98
209.210.237.11
210.0.186.83
210.1.9.227
210.115.49.126
210.115.49.143
210.116.114.229
210.118.74.235
210.15.112.41
210.168.217.132
210.179.119.10
210.18.65.46
210.180.195.4
210.183.235.253
210.198.12.50
210.202.109.29
210.202.116.253
210.205.6.157
210.207.152.26
210.22.128.135
210.223.178.180
210.250.51.252
210.66.217.147
210.76.97.118
210.92.110.56
210.92.30.90
210.96.103.105
210.99.250.246
211.101.6.3
211.114.173.193
211.114.176.163
211.115.80.150
211.136.107.116
211.147.56.8
211.173.81.252
211.185.202.3
211.20.24.77
211.21.75.133
211.217.193.180
211.219.30.11
211.221.246.28
211.229.177.114
211.23.242.186
211.233.15.51
211.238.160.28
211.239.152.44
211.248.38.252
211.248.57.126
211.34.15.5
211.34.43.130
211.46.163.166
211.57.214.74
211.57.80.252
211.60.219.250
211.68.120.41
211.72.9.138
211.75.221.105
211.91.98.115
211.98.28.124
212.238.137.205
212.64.210.221
212.68.226.139
212.78.150.64
213.136.14.51
213.176.124.12
213.183.107.133
216.136.66.81
216.37.220.242
216.40.203.13
216.94.170.95
216.98.142.126
217.14.177.65
217.160.178.172
217.172.182.148
217.66.83.186
217.71.161.49
218.103.82.99
218.106.100.101
218.106.100.98
218.108.247.67
218.145.226.85
218.149.84.114
218.18.208.144
218.21.129.104
218.21.129.105
218.234.208.2
218.236.1.102
218.237.64.193
218.25.120.5
218.3.161.2
218.30.21.236
218.38.136.47
218.38.14.54
218.38.2.1
218.4.139.234
218.62.7.234
218.75.54.67
218.89.36.109
218.89.36.110
219.140.166.19
219.147.198.177
219.147.65.247
219.153.4.62
219.166.65.51
219.254.35.182
220.168.17.55
220.64.160.18
220.69.12.96
220.73.215.151
221.147.48.55
221.147.57.23
221.166.169.102
221.186.104.77
222.118.5.179
222.45.45.132
222.88.82.76
24.202.124.31
24.208.136.184
24.226.230.76
24.97.123.67
61.129.102.174
61.143.64.20
61.144.253.218
61.156.14.23
61.157.226.106
61.166.6.60
61.174.171.18
61.193.167.19
61.197.247.50
61.206.125.28
61.221.212.163
61.222.151.180
61.234.70.11
61.251.165.151
61.251.59.132
61.251.74.219
61.34.6.105
61.36.184.166
61.56.244.182
61.57.26.106
62.111.148.50
62.112.131.21
62.129.173.135
62.193.225.147
62.193.225.46
63.72.238.66
64.114.81.120
64.191.34.180
64.191.87.151
64.246.42.65
64.250.226.3
64.27.0.7
64.35.113.151
64.60.20.74
64.95.31.15
65.37.37.15
65.42.15.250
65.78.159.59
66.103.251.130
66.103.96.14
66.197.197.69
66.216.122.116
66.220.27.241
66.236.24.228
66.55.167.210
66.79.161.66
66.79.170.220
66.98.186.87
67.15.2.8
67.15.54.25
67.153.190.3
67.18.184.210
67.19.126.106
67.19.150.213
68.121.176.36
68.166.46.202
68.208.211.139
68.79.144.34
69.60.111.197
69.89.66.18
80.55.1.198
80.57.166.112
80.86.167.140
81.4.75.96
82.182.115.122
82.43.214.213
82.79.88.147

More information about the LUG mailing list