Installed BDF in addition to APF I get some weird banns

**Redemption** · 11-12-2007, 08:26 AM

I am using the rules posted on this forum for DBF by thisisit. What is BDF banning here? It would seem the culprit is 200.123.133.161? why is it droping 0?

The remote system euid=0 was found to have exceeded acceptable login failures on MYSERVER; there was 104 events to the service sshd. As such the attacking host has been banned from further accessing this system. For the integrity of your host you should investigate this event as soon as possible.

Executed ban command:
/sbin/iptables -I INPUT -s euid=0 -j DROP

The following are event logs from euid=0 on service sshd (all time stamps are GMT -0500):

Nov 11 05:43:44 vps sshd[9451]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:43:48 vps sshd[9507]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:43:52 vps sshd[9535]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:43:55 vps sshd[9563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:43:59 vps sshd[9604]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:03 vps sshd[9706]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:08 vps sshd[9796]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:12 vps sshd[9873]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:15 vps sshd[9982]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:19 vps sshd[10024]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:23 vps sshd[10088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:26 vps sshd[10165]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:30 vps sshd[11271]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:34 vps sshd[11333]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:38 vps sshd[11417]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:41 vps sshd[11482]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:45 vps sshd[11524]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:49 vps sshd[11567]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:52 vps sshd[11613]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:55 vps sshd[11696]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:44:59 vps sshd[11740]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:02 vps sshd[11898]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:06 vps sshd[12241]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:09 vps sshd[13369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:12 vps sshd[13419]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:16 vps sshd[13483]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:20 vps sshd[13546]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:24 vps sshd[13591]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:27 vps sshd[13672]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:31 vps sshd[13709]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:35 vps sshd[13746]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=200.123.133.161 user=root Nov 11 05:45:38

Now what is this one about? What to make sure that legitimate members are not getting banned.

Executed ban command:
/sbin/iptables -I INPUT -s 207.47.14.138 -j DROP

The following are event logs from 207.47.14.138 on service apache-exploits (all time stamps are GMT -0500):

[Sat Nov 10 09:16:11 2007] [error] [client 207.47.14.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind) [Sat Nov 10 09:16:11 2007] [error] [client 207.47.14.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind) [Sat Nov 10 09:16:11 2007] [error] [client 207.47.14.138] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind)

**thisisit3** · 11-12-2007, 09:40 AM

The first part you posted shows that something is WRONG. The grep command didn't get the IP address part, instead it got a random parameter, which is not what you want.

It seems we have different sshd output for some reason, which operating system are you using (and which version)? I'm using various versions of CentOS (4.4, 4.5 etc).

Now, the second part you posted is correct, it detected someone scanning your system for vulnerabilities. He used the "DFind" tool to scan your system, which was detected by BFD and the IP address was banned. No problems there, everything is working perfectly.

**Redemption** · 11-12-2007, 03:41 PM

Originally Posted by thisisit3

The first part you posted shows that something is WRONG. The grep command didn't get the IP address part, instead it got a random parameter, which is not what you want.

It seems we have different sshd output for some reason, which operating system are you using (and which version)? I'm using various versions of CentOS (4.4, 4.5 etc).

Now, the second part you posted is correct, it detected someone scanning your system for vulnerabilities. He used the "DFind" tool to scan your system, which was detected by BFD and the IP address was banned. No problems there, everything is working perfectly.

Thanks for the prompt reply, this is the info on cpanel

WHM 11.2.0 cPanel 11.11.0-S16999
CENTOS Enterprise 5 i686 - WHM X v3.1.0

LinkBack

Thread Tools

Display

Installed BDF in addition to APF I get some weird banns

Bookmarks

Bookmarks

Posting Permissions