Lockdown Your Server - APF / BFD / AntiDOS
I highly recommend rf-networks ( http://www.rfxnetworks.com ) products:
APF - Advanced Policy Firewall
BFD - Brute Force Detection
AntiDos - Denial Of Service Detection
If you would like some help installing these on your Linux based server, contact me.
An example, of an email sent to the admin by these products - triggered by a Brute Force Attack on the SSH port, over a 2 minute period. You can see many attempts were made to break in.
What is happening on your server?????
<------ EMAIL START ------->
The remote system 218.236.84.82 was found to have exceeded acceptable login failures on hk1.nanjingweb.com. As such the attacking host has been banned from further accessing this system; for the integrity of your host you should investigate this event as soon as possible.
The following are event logs for exceeded login failures from 218.236.84.82 on service sshd (all time stamps are GMT +0800):
----
- Executed actions:
/etc/apf/apf -d 218.236.84.82
- Log events from /var/log/messages:
Feb 21 01:16:33 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=48 TOS=0x04 PREC=0x00 TTL=117 ID=64443 PROTO=TCP SPT=31061 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 21 01:16:33 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=48 TOS=0x04 PREC=0x00 TTL=117 ID=28540 PROTO=TCP SPT=31061 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 21 02:11:17 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=3218 DF PROTO=TCP SPT=59366 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:17 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=32861 DF PROTO=TCP SPT=59372 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:20 hk1 sshd(pam_unix)[3489]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:11:20 hk1 sshd(pam_unix)[3488]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:11:23 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=61925 DF PROTO=TCP SPT=59579 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:23 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=36841 DF PROTO=TCP SPT=59580 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:23 hk1 sshd(pam_unix)[3493]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:11:23 hk1 sshd(pam_unix)[3492]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:11:26 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=51807 DF PROTO=TCP SPT=59696 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:26 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=58224 DF PROTO=TCP SPT=59697 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:27 hk1 sshd(pam_unix)[3497]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=admin
Feb 21 02:11:27 hk1 sshd(pam_unix)[3496]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=admin
Feb 21 02:11:29 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=56796 DF PROTO=TCP SPT=59837 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:29 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=62947 DF PROTO=TCP SPT=59839 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:30 hk1 sshd(pam_unix)[3500]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=admin
Feb 21 02:11:30 hk1 sshd(pam_unix)[3501]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=admin
Feb 21 02:11:32 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=1152 DF PROTO=TCP SPT=60004 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:32 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=16966 DF PROTO=TCP SPT=60005 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:33 hk1 sshd(pam_unix)[3505]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:11:33 hk1 sshd(pam_unix)[3506]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:11:35 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=41089 DF PROTO=TCP SPT=60144 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:35 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=19316 DF PROTO=TCP SPT=60146 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:36 hk1 sshd(pam_unix)[3509]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=root
Feb 21 02:11:36 hk1 sshd(pam_unix)[3510]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=root
Feb 21 02:11:38 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=33909 DF PROTO=TCP SPT=60250 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:38 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=55037 DF PROTO=TCP SPT=60252 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:39 hk1 sshd(pam_unix)[3514]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=root
Feb 21 02:11:39 hk1 sshd(pam_unix)[3515]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=root
Feb 21 02:11:42 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=45293 DF PROTO=TCP SPT=60326 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:42 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=51648 DF PROTO=TCP SPT=60327 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:42 hk1 sshd(pam_unix)[3519]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=root
Feb 21 02:11:43 hk1 sshd(pam_unix)[3518]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82 user=root
Feb 21 02:11:45 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.177 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=4430 DF PROTO=TCP SPT=60403 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:45 hk1 kernel: ** SSH ** IN=eth0 OUT= MAC=00:11:11:12:e5:ea:00:d0:02:76:df:fc:08:00 SRC=218.236.84.82 DST=202.67.231.176 LEN=60 TOS=0x04 PREC=0x00 TTL=53 ID=29172 DF PROTO=TCP SPT=60415 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
Feb 21 02:11:45 hk1 sshd(pam_unix)[3522]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:11:46 hk1 sshd(pam_unix)[3524]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.236.84.82
Feb 21 02:12:00 hk1 BFD(3543): {sshd} 218.236.84.82 exceeded login failures; executed ban command '/etc/apf/apf -d 218.236.84.82'.
----
<---- END EMAIL ---->
Last edited by Smoge; 10-05-2006 at 10:13 PM.
Just an update on this thread - as I saw someone looking at it...
We don't use or recommend APF anymore...
CSF is a much better script:
ConfigServer Security & Firewall
Smoge
ModMySite Administrator
Problems? Questions? Need modifications or other help with your site?
Open A Ticket , Send Us An Email Or Give Us A Telephone Call +1 518-632-4152.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote
Bookmarks