We live in a world of scumbags & hackers
Some hackers are just hacks looking for a bit of fun, you know the kind I’m talking about, the pimply faced teenagers seeking a cheap thrill, and then there are the serious hackers looking for vulnerabilities in front-end servers hoping to discover a route into back-end applications such as SQL or credit card processing mechanisms. Protecting servers is your duty to yourself & your visitors.
I have nothing for them on my servers, no credit cards and nothing of any real value, just the dribble you are reading now, but still they try on a daily basis. Perhaps their goal is to drop a payload into a web page which will infect my visitors with malicious & annoying shit. Those bastards!
Thus far the boof-heads have been unsuccessful, and thankfully there are things you can do to stop them down or at-least throw up a few roadblocks.
The most obvious task you should perform daily is check for updates for your installed packages. I know that goes without saying, but for the slackers out there I thought I’d mention it anyway.
Keep an eye on your logs
Linux and most server software keep extensive logs. If your machine farts without permission there is a log somewhere telling you when it occurred, how many decibels it was and how far & fast the smell traveled. Any Linux machines within sniffing range would also record a log with an entry along the lines of;
"9:44:34 Monday, April 6 2020 - Warning: Something smells funny!!!"
Check logs on a daily basis. Keep an eye out for repetitive entries which might be unusual for your system. Check your http, mysql, postfix and dovecot, messages logs. Check any logs relevant to you.
Here is an example of bogus activity;
64.202.189.187 - [03/Feb/2020:19:24:45 +0800] "GET /wp-login.php HTTP/1.1" 200 5644 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
64.202.189.187 - [03/Feb/2020:19:24:47 +0800] "POST /wp-login.php HTTP/1.1" 200 6484 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
142.93.125.73 - [03/Feb/2020:19:41:59 +0800] "GET /wp-login.php HTTP/1.1" 200 5644 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
142.93.125.73 - [03/Feb/2020:19:42:02 +0800] "POST /wp-login.php HTTP/1.1" 200 6484 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
144.217.72.200 - [03/Feb/2020:19:59:10 +0800] "GET /wp-login.php HTTP/1.1" 200 5644 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
144.217.72.200 - [03/Feb/2020:19:59:12 +0800] "POST /wp-login.php HTTP/1.1" 200 6484 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
139.59.235.149 - [03/Feb/2020:20:15:32 +0800] "GET /wp-login.php HTTP/1.1" 200 5644 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
139.59.235.149 - [03/Feb/2020:20:15:35 +0800] "POST /wp-login.php HTTP/1.1" 200 6484 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
46.101.63.219 - [03/Feb/2020:20:32:57 +0800] "GET /wp-login.php HTTP/1.1" 200 5644 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
In my case, I don’t allow logins to this site from anyone but me, therefore repeated access to a login script is a warning that something smells funny.
Fail2ban is Great Mate…
I have been running with Fail2ban for some time now and find it very useful for banning repeat offenders. It works by searching for predefined expressions and other tell-tail signs that something is a bit on the nose. I’m not an expert in the use of Regex and rely heavily on Google for assistance. You should do the same, it’s a great way to learn. But out of the box Fail2ban is very useful.
Fail2ban can be installed, on Centos or RHEL, using;
$ sudo yum install fail2ban-server
I’m not going into the details for setting up Fail2ban but I’ll give you a rundown on what it does.
- Checks logs for specific entries,
- Matches bogus activity with predefined rules,
- Broken rules results in banning offending IP address for specified time,
- If offender returns after being un-banned, IP address is blocked for longer.
I use the “Rich Rule” function of firewalld to block offenders for a few hours, if they continue breaching the rules they are banned for an entire month. The command used to ban, via Rich Rules, is;
$ sudo firewall-cmd --zone=drop \ --add-rich-rule="rule family=ipv4 source address= drop"
Fail2ban replaces <ip> with the IP address of the dimwitted dickhead performing the offending breach. You can choose how long they are blocked for and how long they are blocked should they continue to break the rules. Originally I blocked them for a week and then an entire year for re-offenders. I’ve relaxed that rule because I’m nice!
Firewalld & Ipset – Geo Blocking
Geo blocking means blocking entire countries based on IP address. It isn’t 100% accurate but it’s a good start. I’ve wanted to do Geo Blocking via firewalld for a long time but couldn’t figure it out until I stumbled over this page at Linode.com, thanks guys – I’ve stolen your instructions and included them here.
The first thing to do is create your blacklist;
$ sudo firewall-cmd --permanent --new-ipset=bastards \ --type=hash:net --option=family=inet \ --option=hashsize=4096 --option=maxelem=200000
Note the “–permanent” option which makes your changes permanent, but the firewall needs to be reloaded before it becomes effective. We will do that later because there are more steps we need to do first.
Next we will get some lists of IP addresses from ipdeny.com. Get your list updates once a week, if you want updates more often, contact them and ask how you can donate a few bucks.
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz \ tar -vxzf all-zones.tar.gz
I chose to copy the resulting zone files to a folder (‘/etc/ipdeny/’) for convenience and easy updates, more on that later.
Now we are going to populate our list of bastards using the zone files downloaded above. Each zone file represents are country, for example “cn.zone” is China. Here is a list of zone files to help you.
Load China for blocking;
$ sudo firewall-cmd --permanent --ipset=bastards \ --add-entries-from-file=./cn.zone
Now all you need do is redirect offenders to your Drop Zone, meaning any IP within the ipset group will visit the Drop Zone and they will be dropped without any response at all. It will be as if you didn’t exist!
Do the redirection and reload firewalld;
$ sudo firewall-cmd --permanent --zone=drop \ --add-source=ipset:bastards $ sudo firewall-cmd --reload
If all you have done is load the China Zone, anyone accessing your server from China will be dropped silently.
You are good to go!
I do weekly maintenance & block quite a few countries from which I have continuous hacking attempts. In addition I use Geo Blocking through Nginx which I use as a Reverse Proxy with Apache at the back-end. This might be a bit of overkill but it makes me feel good about myself. I still do daily log scans and manually block anything missed by Fail2ban and Ipdeny.com.
Below is a simple script. Modify it to block which ever country has been getting up your nose and perhaps setup a cron job to run weekly updates.
cd /etc/ipdeny # Remove old all-zone.tar file & fetch new one.sudo rm /etc/ipdeny/all-zones.tar*
sudo wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz \
tar -vxzf all-zones.tar.gz
# Repeat the following for each country changing cn.zone to other country.sudo firewall-cmd --permanent --ipset=bastards \
--add-entries-from-file=/etc/ipdeny/cn.zone
sudo firewall-cmd --reload
You should see a drop in traffic from dodgy countries & fail2ban should be blocking bad guys.
View your rich rules using the following command;
$ sude firewall-cmd --list-all --zone=drop
I hope this has been helpful to someone.