BFD rules for Jag servers

[thisisit3]

The IP address for the hostname you posted is: 200.186.94.53

Thats because the hostname contains the reverse IP, which some ISPs use in order to quickly match IP to hostname.

If you want to ban that IP, just run:

Code:

/sbin/iptables -I INPUT -s 200.186.94.53 -j DROP

[ciberlinkpr.com]

How can I view the block IP's

[lamnk]

/sbin/iptables -L --line-numbers

[AncientLady]

Thank you thisisit3 (and this is not meant sarcastically).

However, I just got my own VPS banned.

For quite a while I've been downloading all relevant logs and running a script to catch stuff.

One of the things that happens is that hackers try to use my VPS as a mail agent and spoof the source IP to one of the ones for my VPS. It happens a LOT.

After I made your changes, my VPS got banned because of one such mail hacker.

Your exim file always takes the fourth value. Sometimes that is not the right one. The one you need to catch each time is the IP address within the []. Here are two examples of 'bad' entries:

Code:

2007-08-16 12:28:47 H=(hkqkul) [81.214.134.167] F=<thepleasurecruise.com@wanttobefit.com> rejected RCPT <douglas@triassicassociates.com>: No Such ....

Code:

2007-08-14 00:56:38 H=61-31-163-154.dynamic.tfn.net.tw (my.vps.ip.address) [61.31.163.154] F=<kii5bghhgfw@msa.hinet.net> rejected RCPT <all9988@gmail.com>: 61-31-163-154.dynamic.tfn.net.tw (my.vps.ip.address) [61.31.163.154] is currently ...

The fourth entry is correct for the first example and not for the second. The IP address in the () is frequently spoofed (as in the second example). The fifth value is the actual IP.

Here is the modified exim file I am going to use until I see that it doesn't work. I haven't looked into the syntax properly and based it on what I saw in the other files. I did test the greps and awks to make sure they caught the correct lines and values:

Code:

# exim

REQ="/usr/sbin/exim"

if [ -f "$REQ" ]; then

	#LP="/var/log/exim_mainlog"
	LP="/var/log/exim_rejectlog"
	TLOG_TF="exim"
	TRIG="7"
	TMP="$INSPATH/tmp"
	MLOG=2500

	# Uncomment this to reset counter
	#echo "1" > $INSPATH/tmp/$TLOG_TF

	echo "Scanning exim log..."

	ARG_VAL1=`$TLOGP $LP $TLOG_TF | tail -n $MLOG | grep -iw "H=(.* rejected RCPT" | awk '{print$4}' | tr -d '[]' | tr -d '()'| grep -v '[a-zA-Z]' | grep -v '^$' | awk '{print$1":exim"}'`> $TMP/.exim
	ARG_VAL2=`$TLOGP $LP $TLOG_TF | tail -n $MLOG | grep -iw "H=[^(].*(.+ rejected RCPT" | awk '{print$5}' | tr -d '[]' | tr -d '()'| grep -v '[a-zA-Z]' | grep -v '^$' | awk '{print$1":exim"}'`>> $TMP/.exim
	ARG_VAL=`cat $TMP/.exim`

fi

I'd appreciate it greatly if anyone sees flaw in this. If not, it is (obviously) there for anyone to use.

[AncientLady]

Oh, and the sequence that worked for me to remove my IP from the the iptables file was:

Code:

1. iptables -L -n --line-numbers>tmp.txt
2. search tmp.txt to find the line number in the INPUT section for the IP to delete (refer to value as <lni>)
3. search tmp.txt to find the line number in the OUTPUT section for the IP to delete (refer as <lno>)
4. iptables -D INPUT <lni>
5. iptables -D OUTPUT <lno>
6. Check to make sure the correct entries are gone using step 1 to a different file.

The line numbers are probably the same for both, but it doesn't hurt to be specific.

Cheers.

[st1905]

Oh, and the sequence that worked for me to remove my IP from the the iptables file was:

Code:

1. iptables -L -n --line-numbers>tmp.txt
2. search tmp.txt to find the line number in the INPUT section for the IP to delete (refer to value as <lni>)
3. search tmp.txt to find the line number in the OUTPUT section for the IP to delete (refer as <lno>)
4. iptables -D INPUT <lni>
5. iptables -D OUTPUT <lno>
6. Check to make sure the correct entries are gone using step 1 to a different file.

The line numbers are probably the same for both, but it doesn't hurt to be specific.

Cheers.

I`ve read something from your site about intelsat, programming ..etc and i`m very impressed. Why do you have fedora favicon for your site ?

[AncientLady]

Thanks for checking out my site (it's still growing). Our non-serious site is www.thetrilobyte.com (also still growing).

I spent about 9 years working at/for Intelsat. It was a great experience. I went from there to Newskies Satellites (the Hague based company that was a US government forced offshoot of Intelsat) and spent four years working in Holland. That was also great.

I wasn't aware that it was the fedora icon. I thought it was the Apache icon.

After getting the PHP warning about no default icon, I grabbed the one in my Apache directory and copy it to the sites I manage. I really should create individual icons for each site, I've been lazy about that.

[thisisit3]

I've uploaded the new v4 release of the BFD rules.

There are loads of new and cool changes, some of them are:

1) As suggested above by AncientLady, exim has three(!) types of log lines, the IP that needs banned was either in position 4 or position 5. I've expanded the previous regex rule into three different rules that catch all three variations.

2) Added support for cyrus-pop3/imap as suggested by Geoffrey

3) In other to start a merge of Directadmin rules (so we don't keep to separate rule packs), i've made a change in exim which detects both log files, so it should work in both cPanel and Directadmin systems. If things look ok then we can move to other rules and make them work for both systems. Since i don't run Directadmin, please test and report any problems.

4) Other minor stuff

[thisisit3]

btw, thats indeed the Apache logo and not the Fedora logo.

[AncientLady]

Thank you thisisit3 for the update (and assurance that I wasn't nuts on the Apache icon ).

Here is another rule for the exim one (your new ones made me check my local logs again):

Code:

ARG_VAL6=`$TLOGP $LP $TLOG_TF.6 | tail -n $MLOG | grep -iw "too many syntax or protocol errors" | awk '{print$7}' | tr -d '[]' | tr -d '()'| grep -v '[a-zA-Z]' | grep -v '^$' | awk '{print$1":exim"}' >> $TMP/.exim`

[sysnop]

My rules are based on cPanel/WHM, while zefie has modified them for DirectAdmin.

The Proftpd rule for DA is working for my Interworx server. Has anybody got a rule set for Qmail?

[thisisit3]

I haven't got any servers running Qmail, so i can't create any rules for it.

[thisisit3]

New version 5 released into to the wild.

I've added a new "cpanel" module which checks for failed login attempts in the /usr/local/cpanel/logs/login_log file and added several new exploits that have been going around for the past several weeks.

[wcselby]

I've been seeing a lot of repeat IP addresses in my BFD emails that I've been getting. They usually hit three or four times in a row, i.e the email time stamps are 10 minutes apart, and I get about three or four emails, all with the same IP address.

Have you ever seen this, or have any idea what could be causing it?

I'm using v4 of your files, I just now noticed that you have a version 5 out. I'll update to that this weekend, but I'd like to know if you've got any ideas what's up with this..?

Code:

-----Original Message-----
From: root [mailto:root@***.******.***] 
Sent: Wednesday, October 24, 2007 8:00 AM

The remote system 220.227.240.71 was found to have exceeded acceptable login failures on
 ***.******.***; there was 242 events to the service sshd. As such the attacking host has
 been banned from further accessing this system. For the integrity of your host you should
 investigate this event as soon as possible.


Executed ban command:
/sbin/iptables -I INPUT -s 220.227.240.71 -j DROP

The following are event logs from 220.227.240.71 on service sshd (all time stamps are GMT -0500):

Oct 24 07:54:55 vps sshd[11499]: Invalid user cim88 from 220.227.240.71 
Oct 24 07:54:55 vps sshd[11510]: Received disconnect from 220.227.240.71: 11: Bye Bye
Oct 24 07:54:58 vps sshd[11558]: Invalid user cim from 220.227.240.71
...

Code:

-----Original Message-----
From: root [mailto:root@***.******.***] 
Sent: Wednesday, October 24, 2007 8:10 AM

The remote system 220.227.240.71 was found to have exceeded acceptable login failures on
 ***.******.***; there was 226 events to the service sshd. As such the attacking host has
 been banned from further accessing this system. For the integrity of your host you should 
investigate this event as soon as possible.


Executed ban command:
/sbin/iptables -I INPUT -s 220.227.240.71 -j DROP

The following are event logs from 220.227.240.71 on service sshd (all time stamps are GMT -0500):

Oct 24 08:04:27 vps sshd[7883]: Invalid user harry from 220.227.240.71 
Oct 24 08:04:28 vps sshd[7888]: Received disconnect from 220.227.240.71: 11: Bye Bye 
Oct 24 08:04:31 vps sshd[7917]: Invalid user ian from 220.227.240.71 
Oct 24 08:04:31 vps sshd[7923]: Received disconnect from 220.227.240.71: 11: Bye Bye 
Oct 24 08:04:33 vps sshd[7958]: Invalid user ian from 220.227.240.71
...

Code:

-----Original Message-----
From: root [mailto:root@***.******.***] 
Sent: Wednesday, October 24, 2007 8:20 AM

The remote system 220.227.240.71 was found to have exceeded acceptable login failures on
 ***.******.***; there was 228 events to the service sshd. As such the attacking host has 
been banned from further accessing this system. For the integrity of your host you should 
investigate this event as soon as possible.


Executed ban command:
/sbin/iptables -I INPUT -s 220.227.240.71 -j DROP

The following are event logs from 220.227.240.71 on service sshd (all time stamps are GMT -0500):

Oct 24 08:14:41 vps sshd[3602]: Invalid user tweety from 220.227.240.71
Oct 24 08:14:42 vps sshd[3607]: Received disconnect from 220.227.240.71: 11: Bye Bye
Oct 24 08:14:44 vps sshd[3636]: Invalid user tweety from 220.227.240.71
...

[thisisit3]

Yes, i've seen that before. It happens when you have reached your VPS limits for "numiptent". Once you reach that limit, then all IP bans will fail.

The solution is simple and has already been posteed:

http://www.jaguarpc.com/forums/showthread.php?t=17783


PS:
you'd better ask support to raise the "numiptent" limit to 1000 or more.