Apache IP Trapping/Blocking Bad Bots and hackers
Hello,
I have a dedicated server and recieve my server log files every morning.
what I have been seeing is people trying to get access to my server through sshd. they are using multiple names and passwords and probably brute force apps.
I am new at running a dedicated server and need to block these people.
What I really want to do is setup a php app or configure apache so it will automaticly stop these people & block thier IP.
I have heard of php code that can be setup as a speed trap so if someone uses a offline browser agent to raid a site it blocks thier IP
I realize it isn't the exact same process but could use some help on how to setup a IP trap that would automaticly block these people and also give me the ability to see who has been blocked.
also is there an easy way to block whois.sc on a global basis in apache to keep it off all my sites? I think some of the people trying to get into my server may be coming from there.
I would think it would be the same process that would be used to stop & block the people who are trying to get into my server.
I have looked for info on this but all I found was info on how to block IP's using http.cfg but that wouldn't stop them before it happenned only after.
I would really appreciate some help and advice on how to control this.
Thanks for your help
Data2050
Busy posted this at 20:54 — 12th April 2005.
He has: 6,151 posts
Joined: May 2001
Sorry not sure how to solve your problem but you do need to be careful blocking by IP, especially if you plan to block by IP range as most attacks would be coming from proxie servers. ALso what you do with the bad bots etc, if you send them round in circles or give them fake lists or a never ending file to suck on, you're using up what can be valuable resources that could be used better else where.
mairving posted this at 21:26 — 12th April 2005.
They have: 2,256 posts
Joined: Feb 2001
Neither Apache or PHP can block SSH attacks, separate program, separate port. All they could do is block access to your site.
What kind of OS?
If Linux, you can use IP Tables
If FreeBSD, you can use IPFW or IPFILTERS to firewall and alternately drop any packets coming from a certain IP address or block.
Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states
mairving posted this at 21:28 — 12th April 2005.
They have: 2,256 posts
Joined: Feb 2001
Do be careful when setting up Firewall rules particularly on a remote computer, since you could potentially lock yourself out.
cpellizzi posted this at 00:10 — 13th April 2005.
He has: 57 posts
Joined: Apr 2005
If you are having trouble, I used webmin to set up all of my firewall stuff (webmin.org). You should just allow ssh access from one IP, that is what I would do in that situation.
Deadlock User Management System
mairving posted this at 12:35 — 13th April 2005.
They have: 2,256 posts
Joined: Feb 2001
I wouldn't really suggest that. Most of us don't have a fixed IP address. If you set it up to allow access from your cable connection and then that address changed, you would be locked out. Since you can't physically go to the server, you would have to get your host to reset it.
A better option which is the default in BSD is to not allow root access via SSH. This way someone can hammer away at the root password all day long and even if they guessed it, still not get in. Use a username that is not easy to determine either and go su (superuser) if you need to do something as root.
Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states
cpellizzi posted this at 20:35 — 13th April 2005.
He has: 57 posts
Joined: Apr 2005
Yes, that is true. I have a fixed IP, so I kind of forgot that most people don't...
Deadlock User Management System
Data2050 posted this at 14:11 — 13th April 2005.
They have: 8 posts
Joined: Apr 2005
thanks for the info, I agree setting a fixed IP address for admin wouldn't work.
I have found this http://www.pettingers.org/code/SSHBlack.html
I have heard using hosts.deny will help but not completly.
any comments on this?
Thanks
Data2050
andy206uk posted this at 15:02 — 13th April 2005.
He has: 1,758 posts
Joined: Jul 2002
Have a look into something called portknocking. It makes it impossible to login without first "knocking" a special combination of ports before you login. It would probably get tedious but I've heard it really makes it tough for people to get in.
Info here: http://www.portknocking.org/
Andy
Data2050 posted this at 16:32 — 13th April 2005.
They have: 8 posts
Joined: Apr 2005
Hi andy206uk,
I looked at portnocking and found they said this:
Applicability
Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP or HTTP . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence.
So if I understand what they are saying Port knocking shouldn't be used on a webserver running public services, such as SMTP and HTTP because of the ports SMTP and HTTP use.
Thanks,
Data2050
Data2050 posted this at 23:10 — 13th April 2005.
They have: 8 posts
Joined: Apr 2005
I have been doing some research on this and from what I have found I can use the hosts.allow file and allow the block of IP's I would get from my ISP. From what I understand once that block of IP's (3 or 4 lines of code) is in the hosts.allow file nobody could access SSH from an IP not in that block. I have also read there are different apps that will monitor SSH port 22 and will write an IP to the iptable, people which have either tried multiple logins in either a specified time frame or x amount of login failures will end up with thier IP added to the IP table and they won't be able to waste system resources.
Using this should provide dual security on SSH with autoblocking features.
Data2050
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.