I was casually doing a security audit on my blog (JeremyMorgan.com) recently and decided to look a little deeper into my security logs. With a bit ...
For further actions, you may consider blocking this person and/or reporting abuse
You should look into two things:
Seconding the fail2ban tooling - excellent support for just about anything you wish to expose to the random Internet, and you can still pull many stats from it's logs for graphing.
Curious as to how many of the IPs you are seeing attacks from are exit nodes for commercial VPNs or Tor? How many are cloud hosted VMs, or zombie personal machines? IP allocation / reverse DNS should help find this stuff out, as would services like this: ipvoid.com/ip-blacklist-check/ :)
In addition to local controls (such as fail2ban), I would also strongly encourage use of a CDN/anti-DDoS/Web App Firewall product (such as Cloudflare, Azure CDN, AWS CDN, Imperva Cloud WAF, etc.) for your outer layer or protection - they will keep up with threats waay faster than one human!
You didn't mention SSH keys and maybe you already do this, but for the benefit of others trying to secure a public-facing machine, it's best to disable password-based authentication and use ssh keys to authenticate instead. Combined with fail2ban (mentioned by Ben) it's a good way to prevent brute force attacks.
DigitalOcean has a good writeup of how to generate SSH keys and configure a Linux machine to use them.
First off, very nicely done. Love the breakdown and that IPTables loop script is awesomely useful too.
Don't they often spoof IPs so banning that stops them right now, but they're back in an hour on another IP?
Also, using the auth log, is that a guarantee these are all attacks, or is it possible some were "good guys"? [just playing devil's advocate here]
Gonna do something like this on my servers, see what I get out of it :)
I was just thinking this. They could definitely use a VPN or some other proxy to mask their IP address.
Cool writeup. There are millions of ways to do this ofcourse.
May be you want to look at google sheets API so you can mostly automate all tasks in the above list and can analyze stuff over time directly in google sheets ;)
or you can just use prometheus and grafana...haha
Please note that using
is appending your rule to the end of INPUT rules. This can be a problem if the INPUT chain has any other rules that have been applied before.
To ban an IP is better to prepend the rule at the beginning:
Althoug I prefer to create a custom chain for them, so you can prepend your custom chain to the beginning of INPUT, and append ips safely to it:
(A note on Drop versus Reject chiark.greenend.org.uk/~peterb/net...)
sshguard, fail2ban will automate this. You should try ipset instead of blocking via iptables.
One of the easiest steps (next to the already mentioned) is using a different port for ssh. This way these automated attacks won't happen anymore.
Additionally fail2ban and you're set.
Disclaimer: I know this won't stop a dedicated attacker, but it will stop the automated attacks and scans.
Blocking IP addresses of attackers is a lost battle. It's incredibly easy for attackers to get a different IP...
I wrote (in 2016) an article with 3 simple tricks (that don't require installing any other app, like fail2ban) that have been working great for me to stop tentative brute force attacks: withblue.ink/2016/07/15/stop-ssh-b... TL;DR: use SSH keys, rate-limit connections to port 22 (using iptables), and/or change the SSH default port.
You don't need to pipe the log to
grepwithcatsince grep will take a file input as a second parameter.grep "$i" /var/log/secure | ...Thanks for the great write up.
Hello,
Very nice job. Great script and ideas. I know the point of your text was to illustrate the script and the automation behind it, but since you used a real life situation, I'd like to offer my two cents on that.
Instead of adding those IP addresses to an iptables script like that, you could try to take advantage of cloudflare's free plan to defend your vps. I'm not their employee, just a happy user. I manage small cloud servers as a side job and their firewall allows you to add a small captcha to validate a connection instead of simply blocking it. And you can create rules for specific countries. If you block an IP, there's no way for it to reach your website, even if it's a legitimate connection. A captcha is boring for the users, but it costs them only one click ;)
would make a great grafana dashboard.
I'd never heard of Grafana until now, but I'd have to agree! Thanks for the recommendation
What kind of attack are your website getting? Login attempt? DDOS?
Thanks. It was interesting to learn about such a way to stop web attacks.
Really interesting read.
These are some GREAT tips! I'm saving this for the future. Thanks!
good article.
Nice write up, thanks for sharing the scripts!
I see similar attacks from China on all the servers I run.
Yeah, these are automated attacks, likely someone scanning a whole IP range. I haven't locked up this server as tight as others in the past, but in my next move, I'll probably see it a lot less.
Good article Jeremy.