Identifying attackers in /var/log/messages and blocking using iptables

TO FIND the ip addresses of those attempting to break in to your system in /var/log/messages:

cat messages | awk '{print 2}' | grep -v authentication | grep -v not |  \
grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | \
grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq  > /root/badips.txt


----------------------------------------------------------------------------
create a quick and dirty script:

vi getips (in /var/log/)

cat messages | awk '{print $7}' | grep -v authentication | grep -v not |  grep -v port | grep -v for | grep -v peer | grep -v failure | grep -v Kbyte | grep -v ^$ | grep -v connect | grep -v you | grep -v ssh | grep -v logname | sort | uniq


execute:   

sh ./getips

sh ./getips  (dirty script needs more clean up... but once you get this list of IPs then you can edit and research and then block)
'ControlGroup'
(0
109.161.130.52:
109.161.134.121:
109.161.141.150:
109.161.145.50:
208.109.85.13:
...
212.26.42.80:
217.58.12.14:
217.76.38.34:
217.77.210.194:
218.87.111.107:
...
43.229.52.137:
43.229.52.139:
43.229.52.140:
43.229.52.143:
43.229.52.149
43.229.52.149:
43.229.52.157:
...
92.39.66.182:
93.170.82.141:
94.199.9.18:
94.31.182.4:
95.141.32.23:
95.210.251.183:
95.224.220.243:
95.226.154.11:
95.243.34.241:
;
Cache
Client
...
----------------------------------------------------

to see a longer list of invalid logins see:

http://johnmeister.com/linux/Notes/messages-Invalid-attempts.html

----------------------------------------------------

There are ways of reporting these IP addresses, by doing so they can be added to blacklists so that
mail servers reject email from those IPs.  The problem is if someone is overzealous about blacklisting
IP addresses the occasional rouge spammer can get a legitimate server blacklisted.  Currently my mail server IP
is blacklisted because of spam prior to my getting that address.  It's on two of eight spam lists, but that's
enough to keep me from getting to one of my technical groups.

To examine the IP address and find it's locations you do a reverse DNS lookup, then traceroute.

A reverse DNS lookup is simply:

		nslookup 171.5.163.191

--> nslookup 171.5.163.191
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
191.163.5.171.in-addr.arpa	name = mx-ll-171.5.163-191.dynamic.3bb.co.th.

Authoritative answers can be found from:

----------------------------------------------------
--> nslookup 3bb.co.th
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
Name:	3bb.co.th
Address: 110.164.192.228

----------------------------------------------------
--> traceroute 171.5.163.191
The program 'traceroute' can be found in the following packages:
 * inetutils-traceroute
 * traceroute
Try: sudo apt-get install <selected package>

------------------------------------------------
john@mint-system (or debian or ubuntu, for suse: zypper install traceroute (although it may be installed by default))
------------------------------------------------
--> sudo apt-get install inetutils-traceroute traceroute
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  inetutils-traceroute traceroute
0 upgraded, 2 newly installed, 0 to remove and 46 not upgraded.
Need to get 83.1 kB of archives.
After this operation, 443 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-updates/universe traceroute amd64 1:2.0.20-0ubuntu0.1 [45.0 kB]
Get:2 http://archive.ubuntu.com/ubuntu/ trusty/universe inetutils-traceroute amd64 2:1.9.2-1 [38.1 kB]
Fetched 83.1 kB in 0s (87.7 kB/s)              
Selecting previously unselected package traceroute.
(Reading database ... 188920 files and directories currently installed.)
Preparing to unpack .../traceroute_1%3a2.0.20-0ubuntu0.1_amd64.deb ...
Unpacking traceroute (1:2.0.20-0ubuntu0.1) ...
Selecting previously unselected package inetutils-traceroute.
Preparing to unpack .../inetutils-traceroute_2%3a1.9.2-1_amd64.deb ...
Unpacking inetutils-traceroute (2:1.9.2-1) ...
Processing triggers for man-db (2.6.7.1-1ubuntu1) ...
Setting up traceroute (1:2.0.20-0ubuntu0.1) ...
update-alternatives: using /usr/bin/traceroute.db to provide /usr/bin/traceroute (traceroute) in auto mode
update-alternatives: using /usr/bin/lft.db to provide /usr/bin/lft (lft) in auto mode
update-alternatives: using /usr/bin/traceproto.db to provide /usr/bin/traceproto (traceproto) in auto mode
update-alternatives: using /usr/sbin/tcptraceroute.db to provide /usr/sbin/tcptraceroute (tcptraceroute) in auto mode
Setting up inetutils-traceroute (2:1.9.2-1) ...

------------------------------------------------
--> traceroute 171.5.163.191
traceroute to 171.5.163.191 (171.5.163.191), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  1.092 ms  1.330 ms  1.404 ms
 2  96.120.100.13 (96.120.100.13)  12.094 ms  12.227 ms  12.307 ms
 3  te-0-0-0-14-sur02.everett.wa.seattle.comcast.net (68.85.240.145)  17.322 ms  17.484 ms  17.568 ms
 4  be-1-sur03.everett.wa.seattle.comcast.net (69.139.164.222)  17.761 ms  17.844 ms  18.009 ms
 5  be-29-ar01.seattle.wa.seattle.comcast.net (69.139.164.217)  18.105 ms  18.190 ms  18.447 ms
 6  be-33650-cr02.seattle.wa.ibone.comcast.net (68.86.93.165)  20.053 ms  11.987 ms  11.476 ms
 7  be-11021-cr01.sanjose.ca.ibone.comcast.net (68.86.85.197)  31.130 ms  31.392 ms  31.268 ms
 8  * * *
 9  he-0-14-0-1-pe03.11greatoaks.ca.ibone.comcast.net (68.86.86.202)  38.010 ms  36.924 ms  36.679 ms
10  50.242.150.146 (50.242.150.146)  38.260 ms  37.942 ms  38.103 ms
11  mx-ll-110.164.0-42.static.3bb.co.th (110.164.0.42)  191.765 ms  381.393 ms  381.276 ms
12  mx-ll-110.164.0-224.static.3bb.co.th (110.164.0.224)  240.239 ms  242.281 ms  242.418 ms
13  mx-ll-110.164.1-10.static.3bb.co.th (110.164.1.10)  230.957 ms  236.696 ms  236.922 ms
14  mx-ll-110.164.1-167.static.3bb.co.th (110.164.1.167)  238.861 ms  238.561 ms  238.627 ms
15  mx-ll-110.164.1-162.static.3bb.co.th (110.164.1.162)  236.683 ms  230.005 ms  230.273 ms
16  mx-ll-110.164.1-64.static.3bb.co.th (110.164.1.64)  232.104 ms mx-ll-110.164.1-138.static.3bb.co.th (110.164.1.138)  238.389 ms mx-ll-110.164.1-72.static.3bb.co.th (110.164.1.72)  230.115 ms
17  mx-ll-110.164.0-181.static.3bb.co.th (110.164.0.181)  236.132 ms  235.147 ms mx-ll-110.164.0-157.static.3bb.co.th (110.164.0.157)  237.306 ms
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

------------------------------------------------

Address: 110.164.192.228
------------------------------------------------
--> traceroute 110.164.192.228
traceroute to 110.164.192.228 (110.164.192.228), 30 hops max, 60 byte packets
 1  192.168.1.1 (192.168.1.1)  0.949 ms  1.103 ms  1.167 ms
 2  96.120.100.13 (96.120.100.13)  13.784 ms  18.228 ms  18.217 ms
 3  te-0-0-0-14-sur02.everett.wa.seattle.comcast.net (68.85.240.145)  19.160 ms  19.314 ms  19.397 ms
 4  be-1-sur03.everett.wa.seattle.comcast.net (69.139.164.222)  19.504 ms  19.556 ms  19.820 ms
 5  be-29-ar01.seattle.wa.seattle.comcast.net (69.139.164.217)  20.080 ms  19.999 ms  20.175 ms
 6  be-33650-cr02.seattle.wa.ibone.comcast.net (68.86.93.165)  20.235 ms  12.986 ms  13.766 ms
 7  be-11021-cr01.sanjose.ca.ibone.comcast.net (68.86.85.197)  32.372 ms  40.418 ms  40.204 ms
 8  * * *
 9  he-0-11-0-0-pe03.11greatoaks.ca.ibone.comcast.net (68.86.85.238)  38.250 ms he-0-13-0-0-pe03.11greatoaks.ca.ibone.comcast.net (68.86.83.134)  38.101 ms he-0-12-0-0-pe03.11greatoaks.ca.ibone.comcast.net (68.86.82.66)  38.450 ms
10  50.242.150.146 (50.242.150.146)  40.562 ms  40.898 ms  40.778 ms
11  mx-ll-110.164.0-44.static.3bb.co.th (110.164.0.44)  226.880 ms  227.516 ms  226.726 ms
12  mx-ll-110.164.0-176.static.3bb.co.th (110.164.0.176)  227.406 ms mx-ll-110.164.0-236.static.3bb.co.th (110.164.0.236)  231.979 ms  232.071 ms
13  mx-ll-110.164.1-132.static.3bb.co.th (110.164.1.132)  238.846 ms  238.716 ms mx-ll-110.164.1-96.static.3bb.co.th (110.164.1.96)  248.027 ms
14  mx-ll-110.164.1-70.static.3bb.co.th (110.164.1.70)  254.360 ms mx-ll-110.164.1-72.static.3bb.co.th (110.164.1.72)  246.309 ms mx-ll-110.164.1-96.static.3bb.co.th (110.164.1.96)  238.987 ms
15  mx-ll-110.164.1-2.static.3bb.co.th (110.164.1.2)  238.841 ms mx-ll-110.164.1-49.static.3bb.co.th (110.164.1.49)  238.263 ms mx-ll-110.164.1-72.static.3bb.co.th (110.164.1.72)  230.261 ms
16  mx-ll-110.164.1-49.static.3bb.co.th (110.164.1.49)  241.157 ms  504.745 ms *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
------------------------------------------------
http://whois.icann.org/en (provides ICANN info of properly registered domains)

https://who.is/whois-ip/ip-address/110.164.192.228

verview for 110.164.192.228

% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '110.164.192.0 - 110.164.207.255'

inetnum:        110.164.192.0 - 110.164.207.255
netname:        TRIPLETNET-TH
descr:          3BB Broadband Internet service provider in Thailand
country:        TH
admin-c:        CW1178-AP
tech-c:         CW1178-AP
status:         ALLOCATED NON-PORTABLE
mnt-by:         MAINT-TH-3BB
mnt-lower:      MAINT-TH-3BB
mnt-routes:     MAINT-TH-3BB
mnt-irt:        IRT-TRIPLETNET-TH
changed:        ipadmin@3bbmail.com 20110213
source:         APNIC

irt:            IRT-TRIPLETNET-TH
address:        200 Moo4 Chaengwattana Road Pakkret Nonthaburi 11120
e-mail:         ipadmin@3bbmail.com
abuse-mailbox:  ipadmin@3bbmail.com
admin-c:        TP207-AP
tech-c:         TP207-AP
auth:           # Filtered
mnt-by:         MAINT-TH-3BB
changed:        ipadmin@3bbmail.com 20101214
source:         APNIC

person:         Ip admin
nic-hdl:        CW1178-AP
e-mail:         ipadmin@3bbmail.com
address:        200 Jasmine tower 29th floor
address:        Chaengwattana road
address:        Pakkret Nonthaburi 11120
phone:          +66-2-1008555
phone:          +66-2-1008552
phone:          +66-2-1008553
country:        TH
changed:        ipadmin@3bbmail.com 20091116
mnt-by:         MAINT-NEW
changed:        hm-changed@apnic.net 20091116
changed:        hm-changed@apnic.net 20111206
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (UNDEFINED)

----------------------------------------------------------------------------

the command to block on the fly:   

-->> sudo iptables -A INPUT -s 221.229.166.29 -j DROP
 sudo iptables -A INPUT -s 221.229.166.29 -j DROP


using iptables only blocks that IP until the next reboot.

----------------------------------------------------------------------------


--> sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             multiport dports mdns
ACCEPT     tcp  --  anywhere             anywhere             multiport dports terabase
DROP       all  --  221.229.166.29       anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

------------------------------------------------

so, once you've got the basic concept down then you can analyze all of the ips and
turn the details below into a script that runs.  Remember iptables will flush on reboot.
So if you create a script, do so to monitor the messages file and drop an IP that
attempts a significant number of tries to get in.


the list of IPs from messages can be gathered by a script that greps the IP 
in messages, counts the hits.  Then when you have a signficant number of hits, 
drop it using iptables.  Running a filter like this will clear after any reboots,
and would be a proactive firewall of sorts.

------------------------------------------------

grep 182.118.54.88 /var/log/messages | wc -l   1
grep 115.113.151.235 /var/log/messages | wc -l  155
grep 117.21.174.111 /var/log/messages | wc -l  219

	grep 171.5.163.191 /var/log/messages | wc -l  598 

	iptables -A INPUT -s 171.5.163.191 -j DROP

grep 176.100.89.119 /var/log/messages | wc -l  349
grep 178.89.2.226 /var/log/messages | wc -l   20
grep 182.100.67.102 /var/log/messages | wc -l  1738
grep 182.100.67.112 /var/log/messages | wc -l  525
grep 182.100.67.114 /var/log/messages | wc -l  190
grep 218.65.30.92 /var/log/messages | wc -l    154
grep 221.229.160.223 /var/log/messages | wc -l  114
grep 221.229.166.27 /var/log/messages | wc -l   108
grep 221.229.166.29 /var/log/messages | wc -l  246
grep 221.229.166.30 /var/log/messages | wc -l  132
grep 222.186.21.217 /var/log/messages | wc -l  126
grep 222.186.21.251 /var/log/messages | wc -l  126

from Japan:
iptables -A INPUT -s 43.255.190.xx -j DROP

grep 43.255.190.117 /var/log/messages | wc -l  404
grep 43.255.190.130 /var/log/messages | wc -l  449
grep 43.255.190.133 /var/log/messages | wc -l  376
grep 43.255.190.137 /var/log/messages | wc -l  282
grep 43.255.190.142 /var/log/messages | wc -l  679
grep 43.255.190.143 /var/log/messages | wc -l  1326
grep 43.255.190.146 /var/log/messages | wc -l  456
grep 43.255.190.150 /var/log/messages | wc -l  438
grep 43.255.190.163 /var/log/messages | wc -l  247
grep 43.255.190.171 /var/log/messages | wc -l  450
grep 43.255.190.172 /var/log/messages | wc -l  456
grep 43.255.190.186 /var/log/messages | wc -l  432
grep 43.255.190.189 /var/log/messages | wc -l  450
grep 43.255.190.90 /var/log/messages | wc -l  449
grep 43.255.191.132 /var/log/messages | wc -l  2930
grep 43.255.191.135 /var/log/messages | wc -l  931
grep 43.255.191.136 /var/log/messages | wc -l  23
grep 43.255.191.138 /var/log/messages | wc -l  41
grep 43.255.191.156 /var/log/messages | wc -l  1

iptables -A INPUT -s 171.5.163.191 -j DROP

--> grep 171.5.163.191 * 2>/dev/null | wc -l
878

.... check logs... no more activity... whoever was trying to come in was persistent and aggressive... 
went from 535 log entries to 878 in just a few minutes... in the past I've activated the firewall, 
but I hate firewalls because I forget about them and can't activate some service... and a firewall 
wouldn't have prevented this guy from trying to access my system... setting up iptables is like a firewall, 
it just resolves any request... or should I say, "dissolves" any request from that IP address... 
can do a block of IP's as well.
--------------------------------------------------

oh... this is also why you do NOT want to use FTP: all 878 attempts were against the ftp server... 
it's like pouring blood into shark infested water... (I wouldn't be using FTP either if the makers of 
gadgets knew about SCP and SSH... inferior windows marketing stuff).

--> grep 171.5.163.191 * 2>/dev/null | grep -v uid=0 | grep -v vsftpd | awk '{print $3" "$8}' | sort |uniq

--------------------------------------------------



Simply Linux: Basics Linux Tackles Microsoft Using BASH on Windows 10
Practical Suggestions for Microsoft Windows
 Full Size Jeep Buyer's Guide
12 hour Video Course by john:
The Art of Linux System Administration
published by O'Reilly Media
Study Guide for the LPIC-2 Certification Exams
search for:
on the internet, or:
JohnMeister.com-fotos
LinuxMeister-Linux
BibleTech- Bible overview

overview of mankind's history
Biblical history:
"Promises and Prophets"

Wagoneers

FULL SIZE JEEPS

JeepMeister
"Jeep is America's
only real sports car."
-Enzo Ferrari


MeisterTech
Diesels +

One Page Overview of Linux Commands

click for an image of the 5 essential Linux commands

An Intro to Linux
AMSOIL product guide,
or, AMSOIL web, or 1-800-956-5695,
use customer #283461

Amsoil dealer since 1983
purchase AMSOIL
at Midway Auto on SR9 in Snohomish,
or at Northland Diesel in Bellingham, WA


SJ - 1962-1991

XJ - 1984-2001

WJ - 1999-2004

KJ - 2002-2007

WK - 2005-2010

Find the recommended
AMSOIL synthetics
for your Jeep

CJ-10A - 1984-1986

Jeepsters

MJ - 1984-1992

Willys - 1946-1965

Other Jeeps (FC)