Solved Many connections from amazonaws? And Abuseipdb config to block abusers.

[Richard G]

Anyone a clue?
Since like a couple of weeks almost daily on at least 2 servers I get messages like below from CSF firewall.

Never had them before, but seems amazonaws ip's are using massive connections, over 1000 often, but often a lot of time_wait connections like this:

In this case 1377 connections, it's always to port 443, so one would think to a website.
But when I do a grep on the ip, I can't find anything in the syslog or httpd logs or domain logs.
In /var/log/httpd/domains I tried like cat * | grep 3.231.22.147 but nothing. Same in /var/log or /var/log/directadmin. Only in /var/log I get an output from lfd.log.

Mar 19 22:15:39 server23 lfd[30687]: (CT) IP 3.231.22.147 (US/United States/ec2-3-231-22-147.compute-1.amazonaws.com) found to have 1377 connections - *Blocked in csf* for 14400 secs [CT_LIMIT]

It seems only the firewall sees this and blocks this, so I don't know where this is going.
And this is multiple times a day and from multiple amazonews ip addresses.

Now I can disable these mails, but amazonaws is the only one causing these, so this seems not right. I can't fill in an abuse report, because they want a piece of the according log, which I don't have, because I can't find anything.

Does anyone have an idea where to look for?

 

[cjd]

I have been seeing that for a while, they are normally scanning SMTP/POP/IMAP, but sometimes also HTTP/HTTPS/telnet/ssh/dns lookups/etc... I just add the hosts to my router BGP black hole with a 30 day timeout. Also see the same activity from a few other sources and do the same... I have tried to report the activity and nothing ever becomes of it.

 

[Richard G]

It's been going on for several weeks now and I got a bit fed up with it. So I also report a complaint to abuse asking what the meaning of this was.
The only thing I got a response to was a port scanning log which I could provide the log for.

As for these thousends of connections, they replied that they needed parts of log and duration, which I can't provide as stated. I explained them and heard nothing anymore of it.

I've seldom seen any ip's getting over the ct_limits. I might indeed try to block them at the datacenter router for 30 days. Just wondering if they just won't use other ip addresses as I now already have seen around 8 of them.

Can this use resources like a ddos?
Or can I just set the CT_SKIP_TIME_WAIT = "0" to 1 to ignore the time_wait which are the most connections and forget about it if it's not coming back with other states?

 

[pat0]

I also see a lot of such connections lately. Not only from AWS but from many other providers.
I suggest to use abuseipdb.com both to report and retrieve lists of abusive ips.
The one you gave above has a lot entries already.

3.231.22.147 | Amazon Data Services NoVa | AbuseIPDB

www.abuseipdb.com

 

[Richard G]

So it really is abusive. Well I got some more then of last week.
54.236.241.38
34.237.0.99
3.221.158.122
3.218.244.132
44.201.6.214
44.199.216.245

Most of them were already reported to Amazon abuse, but if they don't to anything against it, we do the naming and shaming.

I suggest to use abuseipdb.com both to report and retrieve lists of abusive ips.

I'll have a look at that and see if I can also use this in CSF, that would be nice. Hopefully not too many false positives.

 

[Richard G]

@pat0 Hmmz... most likely these can not be reported... this is from the reporting policy of abuseipdb.

Report MUST NOT be of an attack where the source address is likely spoofed i.e. SYN floods and UDP floods. TCP connections can only be reported if they complete the three-way handshake.

And in fact as far as I can see, due to the fact that it's only SYN_RECV and TIME_WAIT in the CSF mails, it seems syn flood to me, so not allowed to be reported.
Or am I mistaken?

 

[pat0]

I think you can report getting multiple bad connections from those IPs.

 

[Richard G]

Doesn't have an option like that.

But I see that they often use bruteforce and DDOS attack and just add the part of the CSF log about the multiple connections:

So it seems they don't look to be bothered by the policy.
This ip also has a rate of 69% abuse.

I just might try. In any case I registered and used their database in my CSF firewall so maybe it will slow down now.

 

[Active8]

I registered and used their database in my CSF firewall so maybe it will slow down now.

Very good , consider to be an active reporter ! (which can automatically fed by CSF as script). we do

 

[johannes]

automatically fed by CSF an script

I have also an abuseipdb account. How did you managed it to feed it automatically with script, please can you provide your solution? Thanks!

 

[Active8]

please can you provide your solution? Thanks!

Sure :

Integrating AbuseIPDB with CSF

www.abuseipdb.com

Reporting to AbuseIPDB (Optional)​

1.) Create an executable script that reports to AbuseIPDB.​

Below is a usable script you may use. You can of course write your own in whatever language you prefer. Since CSF uses Perl, the public script is we display here is written in Perl. Also available is a shell or Python version.

	#!/usr/bin/perl
	# This file was written as an executable to be used in the auto report function
	# of csf and lfd. By replacing $YOUR_API_KEY below with your abuseipdb api key,
	# allows you to use this code to integrate your csf system with abuseipdb.com
	use strict;
	use warnings;
	use HTTP::Tiny;
	use JSON;
	# Gather the information from the commandline passed by lfd
	my $ports = $ARGV[1];
	my $inout = $ARGV[3];
	my $message = $ARGV[5];
	my $logs = $ARGV[6];
	my $trigger = $ARGV[7];
	my $comment = $message . "; Ports: " . $ports . "; Direction: " . $inout
	. "; Trigger: " . $trigger . "; Logs: " . $logs;
	my $ua = HTTP::Tiny->new;
	my $url = 'https://api.abuseipdb.com/api/v2/report';
	my $data = {
	ip => $ARGV[0],
	comment => $comment,
	categories => 14
	};
	my %options = (
	"headers", {
	"Key" => "$YOUR_API_KEY",
	"Accept" => "application/json"
	},
	);
	my $response = $ua->post_form($url, $data, \%options);
	my $json = JSON->new;
	my $output = $json->pretty->encode($json->decode($response->{'content'}));
	if ($response->{'status'} == 200){
	print "Report Succesful!\n" . $output;
	} elsif ($response->{'status'} == 429) {
	print $output;
	} elsif ($response->{'status'} == 422) {
	print $output;
	} elsif ($response->{'status'} == 401) {
	print $output;
	}

view rawabuseipdb_block.pl hosted with ❤ by GitHub
And then make the script file executable using

chmod +x

2.) Set the BLOCK_REPORT variable in /etc/csf.conf to the executable script file.​

BLOCK_REPORT = "/path/to/abuseipdb_report.pl"


And a note from CSF's readme.txt:

lfd launches the BLOCK_REPORT in a forked process which terminates after 10 seconds if not completed by then. It runs under the root account, so great care should be exercised with regard to security of the BLOCK_REPORT script.

 

[johannes]

Ah, sorry, i forgot to check their website, thank you very much!

 

[Richard G]

I've implemented the script last night after my reply. Hopefully it won't report my users if they make some password mistakes and I won't get too many false positives.
However.... today no amazonaws attacks until now.

 

[jamgames2]

if you automated report abuseipdb.
becarefully, censor your server ip or username in "$logs" comment or just don't include it to the comment.

Because sometime customer might put password in username field and accident exploit password to world wide or hacker might found sensitive username that sometime show in the logs.

 

[Richard G]

becarefully, censor your server ip or username in "$logs" comment or just don't include it to the comment.

How can I do that? Automated report is done via the script which Active8 posted above.

 

[jamgames2]

I don't know too much about perl, because I write in php script, and just done via simple function to censor my server ips.

$ips = array('1.1.1.2','1.1.1.3');
$comment = str_replace( $ips, '***', $comment);

But since usage around 1 year I found out there have some sensitive username leaks to world wild, So I decide to remove "$logs" from the comment because I don't have idea to remove all username that contain in the log due it so many diferrent format.

 

[Richard G]

I don't now anything about scripting at all.... not my thing. So you created your own script?

Do I need to just add the code you posted? Or is that the code from your script?
And for removing the #logs,
. "; Trigger: " . $trigger . "; Logs: " . $logs;
I remove both here or only the .$logs; ?

Maybe I can better not use the autoreport function and report manually what is needed.

 

[jamgames2]

It my script, just remove "$logs" should be fine enought.

I just convert perl script into php script and writen into my own code. because I want to adjust category for reporting.
Port scanning, Bruteforce, DDos, ..etc.. should adjust to correct category.

 

[Richard G]

Category, that's even nicer, wonder why abuseipdb didn't do that in their script then. Thanks, will remove the log part.

 

[Active8]

Hopefully it won't report my users if they make some password mistakes and I won't get too many false positives.

You can remove your IP in their panel

I just convert perl script into php script and writen into my own code. because I want to adjust category for reporting.
Port scanning, Bruteforce, DDos, ..etc.. should adjust to correct category.

Care to share ?