VSFTP log file and blocking ip's of failed log in attempts
in my log file i have the below entries:
Apr 1 12:00:02 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:02 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:05 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:05 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:08 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:08 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:11 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:11 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:14 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:14 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:16 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:16 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
i have entries like this where the same ip will sit there and pound on my server for 4-8 hrs, not getting in from what i see on the log, but then the next night it will start again.
so here is what i want to do:
1-how do i run a job that will look at the log every 2 minutes and check ip's and if it encounters the same ip more that 5 times copy the ip over to the etc/host.deny file
what i am trying to do there is block the ip
2-clear the etc/host.deny file of all the blocked ip's every 15 minutes
what i am trying to do there is clear up any blocked ips until they are caught by the above action.
what i am using is vsftp on a FC4 machine.
or is there a better way to do this? another program that automates it for me?
Apr 1 12:00:02 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:02 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:05 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:05 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:08 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:08 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:11 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:11 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:14 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:14 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
Apr 1 12:00:16 mail2 vsftpd(pam_unix)[16257]: check pass; user unknown
Apr 1 12:00:16 mail2 vsftpd(pam_unix)[16257]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.182.50.3
i have entries like this where the same ip will sit there and pound on my server for 4-8 hrs, not getting in from what i see on the log, but then the next night it will start again.
so here is what i want to do:
1-how do i run a job that will look at the log every 2 minutes and check ip's and if it encounters the same ip more that 5 times copy the ip over to the etc/host.deny file
what i am trying to do there is block the ip
2-clear the etc/host.deny file of all the blocked ip's every 15 minutes
what i am trying to do there is clear up any blocked ips until they are caught by the above action.
what i am using is vsftp on a FC4 machine.
or is there a better way to do this? another program that automates it for me?
ASKER
slyong,
I looked at that site, are you suggesting to add the following to the iptables?
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
I looked at that site, are you suggesting to add the following to the iptables?
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
Hi,
Use port 21 instead of port 22 and FTP instead of SSH as follows:
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
Use port 21 instead of port 22 and FTP instead of SSH as follows:
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
ASKER
slyong
i entered in the first line and when i entered in the second line i got this error.:
[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name ftp
[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -j ftp_whitelist
iptables v1.3.0: Couldn't load target `ftp_whitelist':/lib/iptab
Try `iptables -h' or 'iptables --help' for more information.
where do i need to create the ftp_whitelist file at? and what exactly do i need to name it?
K
i entered in the first line and when i entered in the second line i got this error.:
[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name ftp
[root@mail2 ~]# iptables -A INPUT -p tcp --dport 21 -j ftp_whitelist
iptables v1.3.0: Couldn't load target `ftp_whitelist':/lib/iptab
Try `iptables -h' or 'iptables --help' for more information.
where do i need to create the ftp_whitelist file at? and what exactly do i need to name it?
K
Sorry didn't make it clear this part. If you wish to use the whitelist, you need to have this:
iptables -N FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
I would suggest you to use the upper case as the example above to avoid confusion.
iptables -N FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j ULOG --ulog-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
I would suggest you to use the upper case as the example above to avoid confusion.
ASKER
slyong,
I have entered it in just as you have typed and just restarted the sysetm. how will i know if the rules are there and working? iptables -L and look for them? also where will the FTP_WHITELIST file be located at?
also any suggestions on how to test it other than just messing up a few log-ins to see if it locks me out?
I would also guess that in my log files if this is working i should see a great decrease in the failed attempts correct?
please forgive the newb questions and thank you for your time and effort on this. i respect your knowledge and effort it has taken to get you to this point and for you to help me.
K
I have entered it in just as you have typed and just restarted the sysetm. how will i know if the rules are there and working? iptables -L and look for them? also where will the FTP_WHITELIST file be located at?
also any suggestions on how to test it other than just messing up a few log-ins to see if it locks me out?
I would also guess that in my log files if this is working i should see a great decrease in the failed attempts correct?
please forgive the newb questions and thank you for your time and effort on this. i respect your knowledge and effort it has taken to get you to this point and for you to help me.
K
Hi K,
Sorry that I didn't explain in detail. Let me do that now:
1) What you have mentioned about the attack is call brute force attack. There are a few ways to "try" to counter that:
(a) Change the ftp port to something else rather then port 21. This works for 90% of the time because most brute force attack (90% of them) are launched from automated script that just scan for ftp services (which is on port 21).
(b) Using iptables like what we are doing now.
2) iptables itself is whole world of knowledge by itself. I would suggest you to read up on iptables if you can. For what we are doing, I will explain it here:
(a) Actually what we really needed for this to work is just 2 lines:
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
The first line tells iptables to keep a record if there is a new connection to port 21 with the name FTP. This name is used later on on the second lines. The second line states that if there are 4 continuous attempt to connect to port 21 within the time frame of 60 seconds, stop the access from the ip.
(b) The rest of the lines:
iptables -N FTP_WHITELIST **create a FTP_WHITELIST (this is not from a file), it works like a internal storage.
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST **this line make sure that the ip in the FTP_WHITELIST is not blocked
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force **this creates a log entry (normally in /var/log/message depending on your syslog.conf), so that you know someone is blocked. Take note that I change this like a bit by using LOG and --log-prefix instead of ULOG and --ulog-prefix. ULOG is a user space log, ulogd which has to be installed separately. LOG is just using the standard syslog that comes with most Linux distribution (including FC4).
3) Now to the iptables, you need to save the rules before you reboot your machine. This can be done either by issueing the command:
# service iptables save
to save whatever you have typed into the command line.
4) The FTP_WHITELIST is not a file, it works like a internal storage so if you want to add some ip to the FTP_WHITELIST, you have to use the command:
iptables -A SFTP_WHITELIST -s 123.123.123.123 -m recent --remove --name FTP -j ACCEPT
where 123.123.123.123 is the machine that you want to include to the FTP_WHITELIST (and remember to save the rules).
So, to do everything, you will have something like this:
iptables -N FTP_WHITELIST
iptables -A FTP_WHITELIST -s 123.123.123.111 -m recent --remove --name FTP -j ACCEPT
iptables -A FTP_WHITELIST -s 123.123.123.222 -m recent --remove --name FTP -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
Then to ensure that it works, look into your /var/log/message for the message starting with FTP_brute_force as well as you ftp log to see if those ips are blocked out.
Regards,
slyong
Sorry that I didn't explain in detail. Let me do that now:
1) What you have mentioned about the attack is call brute force attack. There are a few ways to "try" to counter that:
(a) Change the ftp port to something else rather then port 21. This works for 90% of the time because most brute force attack (90% of them) are launched from automated script that just scan for ftp services (which is on port 21).
(b) Using iptables like what we are doing now.
2) iptables itself is whole world of knowledge by itself. I would suggest you to read up on iptables if you can. For what we are doing, I will explain it here:
(a) Actually what we really needed for this to work is just 2 lines:
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
The first line tells iptables to keep a record if there is a new connection to port 21 with the name FTP. This name is used later on on the second lines. The second line states that if there are 4 continuous attempt to connect to port 21 within the time frame of 60 seconds, stop the access from the ip.
(b) The rest of the lines:
iptables -N FTP_WHITELIST **create a FTP_WHITELIST (this is not from a file), it works like a internal storage.
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST **this line make sure that the ip in the FTP_WHITELIST is not blocked
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force **this creates a log entry (normally in /var/log/message depending on your syslog.conf), so that you know someone is blocked. Take note that I change this like a bit by using LOG and --log-prefix instead of ULOG and --ulog-prefix. ULOG is a user space log, ulogd which has to be installed separately. LOG is just using the standard syslog that comes with most Linux distribution (including FC4).
3) Now to the iptables, you need to save the rules before you reboot your machine. This can be done either by issueing the command:
# service iptables save
to save whatever you have typed into the command line.
4) The FTP_WHITELIST is not a file, it works like a internal storage so if you want to add some ip to the FTP_WHITELIST, you have to use the command:
iptables -A SFTP_WHITELIST -s 123.123.123.123 -m recent --remove --name FTP -j ACCEPT
where 123.123.123.123 is the machine that you want to include to the FTP_WHITELIST (and remember to save the rules).
So, to do everything, you will have something like this:
iptables -N FTP_WHITELIST
iptables -A FTP_WHITELIST -s 123.123.123.111 -m recent --remove --name FTP -j ACCEPT
iptables -A FTP_WHITELIST -s 123.123.123.222 -m recent --remove --name FTP -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j FTP_WHITELIST
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j LOG --log-prefix FTP_brute_force
iptables -A INPUT -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name FTP -j DROP
Then to ensure that it works, look into your /var/log/message for the message starting with FTP_brute_force as well as you ftp log to see if those ips are blocked out.
Regards,
slyong
ASKER
slyong,
i had added the previous entries before your last post. i had saved the entries and restarted the machine. here is what my iptables -L shows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
tcp -- anywhere anywhere tcp dpt:ftp state NEW recent: SET name: FTP side: source
FTP_WHITELIST tcp -- anywhere anywhere tcp dpt:ftp state NEW
ULOG tcp -- anywhere anywhere tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source ULOG copy_range 0 nlgroup 1 prefix `FTP_brute_force' queue_threshold 1
DROP tcp -- anywhere anywhere tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source
i went in and tried to FTP in 8 times and it let me with wrong user and pass, so i guess i messed up something.
i looked into my loggs and saw where i had tried to log in. and failed. can you point out where i messed up?
K
i had added the previous entries before your last post. i had saved the entries and restarted the machine. here is what my iptables -L shows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
tcp -- anywhere anywhere tcp dpt:ftp state NEW recent: SET name: FTP side: source
FTP_WHITELIST tcp -- anywhere anywhere tcp dpt:ftp state NEW
ULOG tcp -- anywhere anywhere tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source ULOG copy_range 0 nlgroup 1 prefix `FTP_brute_force' queue_threshold 1
DROP tcp -- anywhere anywhere tcp dpt:ftp state NEW recent: UPDATE seconds: 120 hit_count: 4 TTL-Match name: FTP side: source
i went in and tried to FTP in 8 times and it let me with wrong user and pass, so i guess i messed up something.
i looked into my loggs and saw where i had tried to log in. and failed. can you point out where i messed up?
K
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
slyong,
i have done what you said 2 times and it is still not working. here is what my log is showing:
Apr 8 23:45:41 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:41 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:44 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:44 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:47 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:47 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:49 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:49 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:52 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:52 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:55 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:55 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:57 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:57 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:46:00 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:46:00 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
is there somewhere i can check to make sure it is logging and counting the log in attempts?
Dennis
i have done what you said 2 times and it is still not working. here is what my log is showing:
Apr 8 23:45:41 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:41 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:44 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:44 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:47 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:47 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:49 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:49 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:52 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:52 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:55 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:55 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:45:57 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:45:57 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
Apr 8 23:46:00 mail2 vsftpd(pam_unix)[19915]: check pass; user unknown
Apr 8 23:46:00 mail2 vsftpd(pam_unix)[19915]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=62.45.52.98
is there somewhere i can check to make sure it is logging and counting the log in attempts?
Dennis
Just need to change the --dport 22 to --dport 21 (for ftp).