brute force attacks and iptables

Line Yoble

Verified User
Joined
Feb 4, 2009
Messages
38
Hello,

There is something I don't understand (but I far from an expert).
I receive a lot of brute force attack messages from DirectAdmin (and more and more each day - about thirty a day currently).
So, I manually use iptables in order to drop packets coming from the IP addresses listed by the messages (iptables -A INPUT -s IP_Address -j DROP).
Yes, I have seen it is possible to automatically add these IP addresses to iptables, but I must first fix my problem.
And when I use the 'iptables -L' command, all the added IP addresses are here and listed.

Then, after the iptables command, I continue receiving messages for the same addresses.
The iptables command shouldn't completely block the attacks from these addresses ?
Am I wrong somewhere ?

Thanks for your help.

Line
 
I think is cause DA doesnt check if IP is banned but just check logs.

The notify should be about a count on attacs in logs, but i must say, the number should not be increased after the ban.

Maybe a test should ban yourself (be sure to have a way to go back to server or ban for 10mins) for see if actually your iptables is working correctly.

Regards
 
Hello,

post here results of

Code:
iptables-save

with added IP (you wanted to block). I guess you should change the order of the rules.

The iptables command shouldn't completely block the attacks from these addresses ?
Am I wrong somewhere ?
Line
 
Ok zEitEr, I'll do, but late this evening, when I can have again SSH access to my server.
Thanks.

@SeLLeRoNe
Am I wrong again if I suppose that there won't be any log for blocked IP addresses ?
 
You should have something in /var/log/messages

Also, i would suggest you to check for CSF Firewall, it will help on managing and is compatible/integrated with DirectAdmin.

It depend on your OS if it is compatible or not for installation.

Regards
 
Hello zEitEr,

Here is the complete list of my iptables commands, as asked :

# Generated by iptables-save v1.4.2 on Fri Jun 15 22:18:51 2012
*filter
:INPUT DROP [1061575:62463766]
:FORWARD DROP [0:0]
:OUTPUT DROP [20274918:1764072733]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 2147 -j fail2ban-ssh
-A INPUT -d 91.121.72.189/32 -p tcp -m tcp --dport 80 -m string --string "GET /w00tw00t.at.ISC.SANS." --algo bm --to 70 -j DROP
-A INPUT -d 91.121.72.189/32 -p tcp -m tcp --dport 80 -m string --string "Host: 91.121.72.189" --algo bm --to 700 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2147 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2552 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
-A INPUT -p tcp -j LOG --log-prefix "INPUT_TCP "
-A INPUT -p udp -j LOG --log-prefix "INPUT_UDP "
-A INPUT -s 60.169.75.229/32 -j DROP
-A INPUT -s 117.24.20.42/32 -j DROP
-A INPUT -s 14.150.174.216/32 -j DROP
-A INPUT -s 60.169.75.229/32 -j DROP
-A INPUT -s 59.41.167.33/32 -j DROP
-A INPUT -s 58.61.239.51/32 -j DROP
-A INPUT -s 108.163.176.210/32 -j DROP
-A INPUT -s 59.42.116.172/32 -j DROP
-A INPUT -s 61.147.11.19/32 -j DROP
-A INPUT -s 46.20.117.47/32 -j DROP
-A INPUT -s 222.186.23.9/32 -j DROP
-A INPUT -s 61.147.110.19/32 -j DROP
-A INPUT -s 61.19.71.179/32 -j DROP
-A INPUT -s 93.116.129.108/32 -j DROP
-A INPUT -s 201.131.117.3/32 -j DROP
-A INPUT -s 202.100.72.168/32 -j DROP
-A INPUT -s 213.227.39.134/32 -j DROP
-A INPUT -s 221.234.43.164/32 -j DROP
-A INPUT -s 61.140.62.17/32 -j DROP
-A INPUT -s 59.42.116.46/32 -j DROP
-A INPUT -s 58.53.128.91/32 -j DROP
-A INPUT -s 183.5.152.144/32 -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2147 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2552 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp -j LOG --log-prefix "OUTPUT_TCP "
-A OUTPUT -p udp -j LOG --log-prefix "OUTPUT_UDP "
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Jun 15 22:18:51 2012

As I'm far from an expert, I don't see if there is any problem here : all my drop commands are here.

Thanks for your help.

Best regards.

Line
 
Thanks for you help, zEitEr.
After having put here my iptables commands, I have seen that DROP commands were before ACCEPT commands, which was not logical.
So, this morning, I began reading more docs about iptables and understood just two hours ago how to change the order of these commands.
Your last answer above comes just after I have added two DROP commands just before the ACCEPT commands.
I'm now waiting for the results, hoping I won't receive any more brute force attack messages for the two IPs I ahev added.

Thanks again for having put the light on !

Line
 
Gasp ! It seems it had no effect...
I just got the following message from directadmin :
Brute-Force Attack detected in service log from IP(s) 222.186.20.48, 61.147.110.19, 61.160.247.182 on...

And my first three INPUT lines of iptables are :
-A INPUT -s 61.147.110.19/32 -j DROP
-A INPUT -s 222.186.20.48/32 -j DROP
-A INPUT -s 61.160.247.182/32 -j DROP

Any other idea ?

Thanks.
 
Post here results for

Code:
# iptables -L -V

this should show counters for each rule of iptables.
 
zEitEr, strangely, the brute force attack message I got early this morning was dated 14/06 ! SO, it was sent before, I followed your instructions, putting the DROP orders before the ACCEPT orders.
After this one, I received no more directadmin messages.
And using now the -L -v (minus v) iptables parameters, the counters showed a total of nearly 50 packets blocked for the three dropped IPs (and a total of 0 packets for the remaining dropped IPs I didn't move from their place after the ACCEPT orders).
This is a clear proof of my mistakes.
Thanks again for your help !
 
Back
Top