I have multiple failed break in's (Like 200 in 5 minutes) from the IP address 216.55.165.26 Is there any way to blacklist that IP address from logging into my server (FTP,SSH,ETC), and are there any major blacklisting sites I can add the IP address to? Thanks
Alright, I noticed that it's a static IP from the web service. Should I tell my ISP or other organizations to add to their blacklists?
Instead of blacklisting it, it might be better to inform the ISP were the IP belongs to to take ctions to prevent this. You can lookup the abuse address of the ISP with whois.
Change your SSH port if they're trying to hack port 25 If the break-in attempts were on port 25 SSH then you should simply change the default port for SSH. I run denyhosts and used to get several hack attempts daily on port 25. Denyhosts did it's job but it was constantly blocking hack attempts. Since I changed my default SSH port to something else I have not had a single hack attempt on SSH. I also disabled password login and went to a public key. Most of the script kiddies try to hack port 25 and rarely look at non-standard ports. There's lot's of good info in this HowTo: http://www.howtoforge.com/ssh-best-practices
Here's the way I would do it: 1) Create a new file named post-rule-setup.sh 2) Put the following in that file: iptables -I INPUT -s 216.55.165.26 -j DROP 3) Place the file in this new folder: /etc/Bastille/firewall.d/ 4) Restart the Bastille firewall to activate the rule: /etc/init.d/bastille-firewall restart To remove the rule is simple: 1) Delete post-rule-setup.sh or remove the rule from that file 2) Restart the Bastille firewall: /etc/init.d/bastille-firewall restart You can add as many rules as you want into post-rule-setup.sh just be sure to put each rule on it's own line. Run iptables -L to see your new rule(s) running in iptables or to confirm that it has been removed. The benefit of doing it like this is that your rules will remain in effect even if the system is rebooted or Bastille is restarted.
I use sshguard happily on my FreeBSD box at home. It's also available for Linux/iptables. It blacklists IP's automatically after a set number of failures to login. You can adjust how many failures within how many seconds it should take before the ip gets blocked and for how long the ip should remain blocked. Works like a charm here!
Right now i'm using fail2ban and like it so far however I just noticed something kind of odd in the logs and this could be completely normal but would a second set of eyes. So in my auth.log This happened: Code: Feb 13 03:11:40 cw-webserver sshd[3833]: Server listening on :: port 22. Feb 13 03:11:40 cw-webserver sshd[3833]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use. Feb 13 03:11:45 cw-webserver saslauthd[4162]: detach_tty : master pid is: 4162 Feb 13 03:11:45 cw-webserver saslauthd[4162]: ipc_init : listening on socket: /var/spool/postfix/var/run/saslauthd/mux and then in the fail2ban.log was this: Code: 2008-02-13 03:11:48,093 fail2ban.jail : INFO Using poller 2008-02-13 03:11:48,158 fail2ban.filter : INFO Created Filter 2008-02-13 03:11:48,158 fail2ban.filter : INFO Created FilterPoll 2008-02-13 03:11:48,159 fail2ban.filter : INFO Added logfile = /var/log/auth.log 2008-02-13 03:11:48,160 fail2ban.filter : INFO Set maxRetry = 6 2008-02-13 03:11:48,165 fail2ban.filter : INFO Set findtime = 600 2008-02-13 03:11:48,166 fail2ban.actions: INFO Set banTime = 600 2008-02-13 03:11:48,182 fail2ban.actions.action: INFO Set actionBan = iptables -I fail2ban-<name> 1 -s <ip> -j DROP 2008-02-13 03:11:48,183 fail2ban.actions.action: INFO Set actionStop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name> 2008-02-13 03:11:48,184 fail2ban.actions.action: INFO Set actionStart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name> 2008-02-13 03:11:48,185 fail2ban.actions.action: INFO Set actionUnban = iptables -D fail2ban-<name> -s <ip> -j DROP 2008-02-13 03:11:48,186 fail2ban.actions.action: INFO Set actionCheck = iptables -n -L INPUT | grep -q fail2ban-<name> The only reason I thought that this was odd was because they were so close in time together
