Identifying attackers in /var/log/messages and blocking using iptables
TO FIND the ip addresses of those attempting to break in to your system in /var/log/messages:
cat messages | awk '{print 2}' | grep -v authentication | grep -v not | \
grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | \
grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq > /root/badips.txt
----------------------------------------------------------------------------
create a quick and dirty script:
vi getips (in /var/log/)
cat messages | awk '{print $7}' | grep -v authentication | grep -v not | grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq
execute:
sh ./getips
sh ./getips (dirty script needs more clean up... but once you get this list of IPs then you can edit and research and then block)
'ControlGroup'
(0
109.161.130.52:
109.161.134.121:
109.161.141.150:
109.161.145.50:
208.109.85.13:
...
212.26.42.80:
217.58.12.14:
217.76.38.34:
217.77.210.194:
218.87.111.107:
...
43.229.52.137:
43.229.52.139:
43.229.52.140:
43.229.52.143:
43.229.52.149
43.229.52.149:
43.229.52.157:
...
92.39.66.182:
93.170.82.141:
94.199.9.18:
94.31.182.4:
95.141.32.23:
95.210.251.183:
95.224.220.243:
95.226.154.11:
95.243.34.241:
;
Cache
Client
...
----------------------------------------------------
to see a longer list of invalid logins see:
http://johnmeister.com/linux/Notes/messages-Invalid-attempts.html
----------------------------------------------------
There are ways of reporting these IP addresses, by doing so they can be added to blacklists so that
mail servers reject email from those IPs. The problem is if someone is overzealous about blacklisting
IP addresses the occasional rouge spammer can get a legitimate server blacklisted. Currently my mail server IP
is blacklisted because of spam prior to my getting that address. It's on two of eight spam lists, but that's
enough to keep me from getting to one of my technical groups.
To examine the IP address and find it's locations you do a reverse DNS lookup, then traceroute.
A reverse DNS lookup is simply:
nslookup 171.5.163.191
--> nslookup 171.5.163.191
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
191.163.5.171.in-addr.arpa name = mx-ll-171.5.163-191.dynamic.3bb.co.th.
Authoritative answers can be found from:
----------------------------------------------------
--> nslookup 3bb.co.th
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: 3bb.co.th
Address: 110.164.192.228
----------------------------------------------------
--> traceroute 171.5.163.191
The program 'traceroute' can be found in the following packages:
* inetutils-traceroute
* traceroute
Try: sudo apt-get install <selected package>
------------------------------------------------
john@mint-system (or debian or ubuntu, for suse: zypper install traceroute (although it may be installed by default))
------------------------------------------------
--> sudo apt-get install inetutils-traceroute traceroute
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
inetutils-traceroute traceroute
0 upgraded, 2 newly installed, 0 to remove and 46 not upgraded.
Need to get 83.1 kB of archives.
After this operation, 443 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-updates/universe traceroute amd64 1:2.0.20-0ubuntu0.1 [45.0 kB]
Get:2 http://archive.ubuntu.com/ubuntu/ trusty/universe inetutils-traceroute amd64 2:1.9.2-1 [38.1 kB]
Fetched 83.1 kB in 0s (87.7 kB/s)
Selecting previously unselected package traceroute.
(Reading database ... 188920 files and directories currently installed.)
Preparing to unpack .../traceroute_1%3a2.0.20-0ubuntu0.1_amd64.deb ...
Unpacking traceroute (1:2.0.20-0ubuntu0.1) ...
Selecting previously unselected package inetutils-traceroute.
Preparing to unpack .../inetutils-traceroute_2%3a1.9.2-1_amd64.deb ...
Unpacking inetutils-traceroute (2:1.9.2-1) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Setting up traceroute (1:2.0.20-0ubuntu0.1) ...
update-alternatives: using /usr/bin/traceroute.db to provide /usr/bin/traceroute (traceroute) in auto mode
update-alternatives: using /usr/bin/lft.db to provide /usr/bin/lft (lft) in auto mode
update-alternatives: using /usr/bin/traceproto.db to provide /usr/bin/traceproto (traceproto) in auto mode
update-alternatives: using /usr/sbin/tcptraceroute.db to provide /usr/sbin/tcptraceroute (tcptraceroute) in auto mode
Setting up inetutils-traceroute (2:1.9.2-1) ...
------------------------------------------------
--> traceroute 171.5.163.191
traceroute to 171.5.163.191 (171.5.163.191), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 1.092 ms 1.330 ms 1.404 ms
2 96.120.100.13 (96.120.100.13) 12.094 ms 12.227 ms 12.307 ms
3 te-0-0-0-14-sur02.everett.wa.seattle.comcast.net (68.85.240.145) 17.322 ms 17.484 ms 17.568 ms
4 be-1-sur03.everett.wa.seattle.comcast.net (69.139.164.222) 17.761 ms 17.844 ms 18.009 ms
5 be-29-ar01.seattle.wa.seattle.comcast.net (69.139.164.217) 18.105 ms 18.190 ms 18.447 ms
6 be-33650-cr02.seattle.wa.ibone.comcast.net (68.86.93.165) 20.053 ms 11.987 ms 11.476 ms
7 be-11021-cr01.sanjose.ca.ibone.comcast.net (68.86.85.197) 31.130 ms 31.392 ms 31.268 ms
8 * * *
9 he-0-14-0-1-pe03.11greatoaks.ca.ibone.comcast.net (68.86.86.202) 38.010 ms 36.924 ms 36.679 ms
10 50.242.150.146 (50.242.150.146) 38.260 ms 37.942 ms 38.103 ms
11 mx-ll-110.164.0-42.static.3bb.co.th (110.164.0.42) 191.765 ms 381.393 ms 381.276 ms
12 mx-ll-110.164.0-224.static.3bb.co.th (110.164.0.224) 240.239 ms 242.281 ms 242.418 ms
13 mx-ll-110.164.1-10.static.3bb.co.th (110.164.1.10) 230.957 ms 236.696 ms 236.922 ms
14 mx-ll-110.164.1-167.static.3bb.co.th (110.164.1.167) 238.861 ms 238.561 ms 238.627 ms
15 mx-ll-110.164.1-162.static.3bb.co.th (110.164.1.162) 236.683 ms 230.005 ms 230.273 ms
16 mx-ll-110.164.1-64.static.3bb.co.th (110.164.1.64) 232.104 ms mx-ll-110.164.1-138.static.3bb.co.th (110.164.1.138) 238.389 ms mx-ll-110.164.1-72.static.3bb.co.th (110.164.1.72) 230.115 ms
17 mx-ll-110.164.0-181.static.3bb.co.th (110.164.0.181) 236.132 ms 235.147 ms mx-ll-110.164.0-157.static.3bb.co.th (110.164.0.157) 237.306 ms
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
------------------------------------------------
Address: 110.164.192.228
------------------------------------------------
--> traceroute 110.164.192.228
traceroute to 110.164.192.228 (110.164.192.228), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.949 ms 1.103 ms 1.167 ms
2 96.120.100.13 (96.120.100.13) 13.784 ms 18.228 ms 18.217 ms
3 te-0-0-0-14-sur02.everett.wa.seattle.comcast.net (68.85.240.145) 19.160 ms 19.314 ms 19.397 ms
4 be-1-sur03.everett.wa.seattle.comcast.net (69.139.164.222) 19.504 ms 19.556 ms 19.820 ms
5 be-29-ar01.seattle.wa.seattle.comcast.net (69.139.164.217) 20.080 ms 19.999 ms 20.175 ms
6 be-33650-cr02.seattle.wa.ibone.comcast.net (68.86.93.165) 20.235 ms 12.986 ms 13.766 ms
7 be-11021-cr01.sanjose.ca.ibone.comcast.net (68.86.85.197) 32.372 ms 40.418 ms 40.204 ms
8 * * *
9 he-0-11-0-0-pe03.11greatoaks.ca.ibone.comcast.net (68.86.85.238) 38.250 ms he-0-13-0-0-pe03.11greatoaks.ca.ibone.comcast.net (68.86.83.134) 38.101 ms he-0-12-0-0-pe03.11greatoaks.ca.ibone.comcast.net (68.86.82.66) 38.450 ms
10 50.242.150.146 (50.242.150.146) 40.562 ms 40.898 ms 40.778 ms
11 mx-ll-110.164.0-44.static.3bb.co.th (110.164.0.44) 226.880 ms 227.516 ms 226.726 ms
12 mx-ll-110.164.0-176.static.3bb.co.th (110.164.0.176) 227.406 ms mx-ll-110.164.0-236.static.3bb.co.th (110.164.0.236) 231.979 ms 232.071 ms
13 mx-ll-110.164.1-132.static.3bb.co.th (110.164.1.132) 238.846 ms 238.716 ms mx-ll-110.164.1-96.static.3bb.co.th (110.164.1.96) 248.027 ms
14 mx-ll-110.164.1-70.static.3bb.co.th (110.164.1.70) 254.360 ms mx-ll-110.164.1-72.static.3bb.co.th (110.164.1.72) 246.309 ms mx-ll-110.164.1-96.static.3bb.co.th (110.164.1.96) 238.987 ms
15 mx-ll-110.164.1-2.static.3bb.co.th (110.164.1.2) 238.841 ms mx-ll-110.164.1-49.static.3bb.co.th (110.164.1.49) 238.263 ms mx-ll-110.164.1-72.static.3bb.co.th (110.164.1.72) 230.261 ms
16 mx-ll-110.164.1-49.static.3bb.co.th (110.164.1.49) 241.157 ms 504.745 ms *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
------------------------------------------------
http://whois.icann.org/en (provides ICANN info of properly registered domains)
https://who.is/whois-ip/ip-address/110.164.192.228
verview for 110.164.192.228
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
% Information related to '110.164.192.0 - 110.164.207.255'
inetnum: 110.164.192.0 - 110.164.207.255
netname: TRIPLETNET-TH
descr: 3BB Broadband Internet service provider in Thailand
country: TH
admin-c: CW1178-AP
tech-c: CW1178-AP
status: ALLOCATED NON-PORTABLE
mnt-by: MAINT-TH-3BB
mnt-lower: MAINT-TH-3BB
mnt-routes: MAINT-TH-3BB
mnt-irt: IRT-TRIPLETNET-TH
changed: ipadmin@3bbmail.com 20110213
source: APNIC
irt: IRT-TRIPLETNET-TH
address: 200 Moo4 Chaengwattana Road Pakkret Nonthaburi 11120
e-mail: ipadmin@3bbmail.com
abuse-mailbox: ipadmin@3bbmail.com
admin-c: TP207-AP
tech-c: TP207-AP
auth: # Filtered
mnt-by: MAINT-TH-3BB
changed: ipadmin@3bbmail.com 20101214
source: APNIC
person: Ip admin
nic-hdl: CW1178-AP
e-mail: ipadmin@3bbmail.com
address: 200 Jasmine tower 29th floor
address: Chaengwattana road
address: Pakkret Nonthaburi 11120
phone: +66-2-1008555
phone: +66-2-1008552
phone: +66-2-1008553
country: TH
changed: ipadmin@3bbmail.com 20091116
mnt-by: MAINT-NEW
changed: hm-changed@apnic.net 20091116
changed: hm-changed@apnic.net 20111206
source: APNIC
% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)
----------------------------------------------------------------------------
the command to block on the fly:
-->> sudo iptables -A INPUT -s 221.229.166.29 -j DROP
sudo iptables -A INPUT -s 221.229.166.29 -j DROP
using iptables only blocks that IP until the next reboot.
----------------------------------------------------------------------------
--> sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere multiport dports mdns
ACCEPT tcp -- anywhere anywhere multiport dports terabase
DROP all -- 221.229.166.29 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
------------------------------------------------
so, once you've got the basic concept down then you can analyze all of the ips and
turn the details below into a script that runs. Remember iptables will flush on reboot.
So if you create a script, do so to monitor the messages file and drop an IP that
attempts a significant number of tries to get in.
the list of IPs from messages can be gathered by a script that greps the IP
in messages, counts the hits. Then when you have a signficant number of hits,
drop it using iptables. Running a filter like this will clear after any reboots,
and would be a proactive firewall of sorts.
------------------------------------------------
grep 182.118.54.88 /var/log/messages | wc -l 1
grep 115.113.151.235 /var/log/messages | wc -l 155
grep 117.21.174.111 /var/log/messages | wc -l 219
grep 171.5.163.191 /var/log/messages | wc -l 598
iptables -A INPUT -s 171.5.163.191 -j DROP
grep 176.100.89.119 /var/log/messages | wc -l 349
grep 178.89.2.226 /var/log/messages | wc -l 20
grep 182.100.67.102 /var/log/messages | wc -l 1738
grep 182.100.67.112 /var/log/messages | wc -l 525
grep 182.100.67.114 /var/log/messages | wc -l 190
grep 218.65.30.92 /var/log/messages | wc -l 154
grep 221.229.160.223 /var/log/messages | wc -l 114
grep 221.229.166.27 /var/log/messages | wc -l 108
grep 221.229.166.29 /var/log/messages | wc -l 246
grep 221.229.166.30 /var/log/messages | wc -l 132
grep 222.186.21.217 /var/log/messages | wc -l 126
grep 222.186.21.251 /var/log/messages | wc -l 126
from Japan:
iptables -A INPUT -s 43.255.190.xx -j DROP
grep 43.255.190.117 /var/log/messages | wc -l 404
grep 43.255.190.130 /var/log/messages | wc -l 449
grep 43.255.190.133 /var/log/messages | wc -l 376
grep 43.255.190.137 /var/log/messages | wc -l 282
grep 43.255.190.142 /var/log/messages | wc -l 679
grep 43.255.190.143 /var/log/messages | wc -l 1326
grep 43.255.190.146 /var/log/messages | wc -l 456
grep 43.255.190.150 /var/log/messages | wc -l 438
grep 43.255.190.163 /var/log/messages | wc -l 247
grep 43.255.190.171 /var/log/messages | wc -l 450
grep 43.255.190.172 /var/log/messages | wc -l 456
grep 43.255.190.186 /var/log/messages | wc -l 432
grep 43.255.190.189 /var/log/messages | wc -l 450
grep 43.255.190.90 /var/log/messages | wc -l 449
grep 43.255.191.132 /var/log/messages | wc -l 2930
grep 43.255.191.135 /var/log/messages | wc -l 931
grep 43.255.191.136 /var/log/messages | wc -l 23
grep 43.255.191.138 /var/log/messages | wc -l 41
grep 43.255.191.156 /var/log/messages | wc -l 1
iptables -A INPUT -s 171.5.163.191 -j DROP
--> grep 171.5.163.191 * 2>/dev/null | wc -l
878
.... check logs... no more activity... whoever was trying to come in was persistent and aggressive...
went from 535 log entries to 878 in just a few minutes... in the past I've activated the firewall,
but I hate firewalls because I forget about them and can't activate some service... and a firewall
wouldn't have prevented this guy from trying to access my system... setting up iptables is like a firewall,
it just resolves any request... or should I say, "dissolves" any request from that IP address...
can do a block of IP's as well.
--------------------------------------------------
oh... this is also why you do NOT want to use FTP: all 878 attempts were against the ftp server...
it's like pouring blood into shark infested water... (I wouldn't be using FTP either if the makers of
gadgets knew about SCP and SSH... inferior windows marketing stuff).
--> grep 171.5.163.191 * 2>/dev/null | grep -v uid=0 | grep -v vsftpd | awk '{print $3" "$8}' | sort |uniq
--------------------------------------------------
|
|
 Wagoneers FULL SIZE JEEPS JeepMeister "Jeep is America's -Enzo Ferrari MeisterTech Diesels + |
One Page Overview of Linux Commands click for an image of the 5 essential Linux commands An Intro to Linux |
at Midway Auto on SR9 in Snohomish, or at Northland Diesel in Bellingham, WA |
