Block IPs automatically

Hello,

What is the bes way to block IPs automatically? My maillog is full with the following lines:

vpopmail[xxxx]: vchkpw-smtp: null password given SOMETHING:xxx.xxx.xxx.xxx

I blocked some IPs manually, but it is very hard, so I am looking for an automated solution.

Thank you!

Hi Dss

I hope you don’t mind, but I personnaly do not think blocking the IP using IPTABLES would work too well for the following reasons:

Over time IPTABLE willbecome extremely large and slow down the system
The connections made may not originate from the IP shown (so it will not be stopped)

On our enterprise mailers, any attempted connection which fails a set number of times, is not blocked but ignored, even if correct credentials are then handed over, and we set the time frame for ignore, but these are dedicated mailers.

I know I posted a little while ago, over a different issue but the software maybe helpful in your post as well, but I would need to look it up, sorry, which I will do later and post link, but it is untested sorry, or you could block IP ranges, or country IP ranges I suppose, which may also work for you.

Other users may have a solution or a better way to deal with this, which I would also be interested to know, so please be patient.

I hope that helps a little

Many thanks

John

Hi John,

Thank you for your reply! You’re right, IPTABLES would be very large. Please send your older post if you’ll have time. It’s not problem that it’s not tested, I’ll test it on my test VPS first. Unfortunately, it’s a very popular problem on our servers so I can test it everywhere :S

Hi dss

Yes, I know it’s an issue with every provider, and there’s no fool proof way to stop it, as it needs open access.

I’ll look it up when I have time today, sorry fairly busy.

Many thanks

John

Hi Dss

I’m sorry, I have looked quickly but I cannot find my post, I did not realise I had posted so many sorry.

However, the software I was meaning is http://www.spamdyke.org but this may not work for pop sorry, it is for smtp, but the good news is there is a new version available and for centos6 64 bit. Ofcourse, it may help still though, because if you look at your logs, you will most likely see the same IP attempting to access POP also attempts to access SMTP.

I hope that helps, and please let me know if you install it, and if it works, as I have not had much time to fully try it, but I will be making time soon.

Many thanks

John

Thank you John, I’m going to test it on my test vps, but of course nobody try to attack my test server now :slight_smile:

Does anybody have experience with fail2ban and InterWorx? As I saw it works with smtp and pop too. Because of the unban my IPTABLES may not be very large.

Hi dss

Do you mind if I ask how you got on with spamdyke

Also, I’ve looked at fail2ban before, but cannot remember why we didn’t install it sorry.

Also, the recent post from cleverwise indicates cphulk may do what your looking for, but it may only work for cpanel or their os.

I hope that helps a little and look forward to other users views.

Many thanks

John

Hi John,

I didn’t install spamdyke so far because after blocking 4-5 IPs manually, attacks stopped, but I think it will be started again in very short time. At this time I only try to collect information about the possible solutions and looking for the best one. I think, on the end of the next week I have to install one of the mentioned solution. I’ll write a feedback about it!

Hi Dss

I hope you don’t mind, but I’ve been doing some quick research and came accross the articles listed below, which makes interesting reading, and may offer you some more suggestions, as well as show where fail2ban may not work.

I have not tested them but I may do if I have time, or if you anyone tests them, if you could offer feedback please, and I’m fairly confident the log entries will be shown in most of the logs, they are certainly in ours.

Many thanks

John

http://lawsonry.com/2014/01/malicious-log-entries-look-like/
http://lawsonry.com/2014/01/quickly-block-traffic-with-ipset-and-iptables/
http://daemonkeeper.net/781/mass-blocking-ip-addresses-with-ipset/

Hello,

Yeah CPHulk is for WHM/Cpanel. If you want automatic IP blocking,which personally I think is good because there are brute force attacks, I strongly suggest BFD at http://www.rfxnetworks.com/projects/brute-force-detection/

This has been mentioned before and it does work well with the firewall IW uses (same vendor).

I thought I would add the instructions for BFD to make it easy (it is elsewhere on this forum too but what the heck).

SSH in and run the following commands (omit >)
> cd /opt/
> wget http://www.rfxnetworks.com/downloads/bfd-current.tar.gz
> tar -xpf bfd-current.tar.gz
Get version number by lsing
> ls
> cd bfd-VERSION
> ./install.sh
Setup TRIG, EMAIL_ALERTS, EMAIL_ADDRESS, then save (I use vi):
> vi /usr/local/bfd/conf.bfd
Now start it:
> /usr/local/sbin/bfd -s

BFD will now automatically add offending IPs to the deny_hosts.rules. I suggest you whitelist your own IP as whitelisted IPs take priority over blacklisted ones. That way if you accidently have a mail client or something that fails to many times you won’t lock yourself out.

Finally if you have multiple servers (either dedicated, VPS, or cloud) I strongly suggest for each node you whitelist another node. That way you can SSH in from another node should you lock your own IP out. I have seen it happen.

Hi cleverwise

Thanks for your post and I’ll have a look tommorow when I’ve some spare time, but do you mind me asking if it uses ipsets

Many thanks

John

Sorry, also, I presume reject can be replaced with drop, as we never like to back scatter.

Many thanks

John

No problem. I hope it helps.

BFD will blacklist the single offending IP. You can also write your own rules or edit the default ones.

BFD runs by crontab every few minutes and then searches the logs of known programs like the maillog looking for to many failures (you set the number). Once located BFD just adds that IP to the deny_hosts.rules list if you use APF. If you want to block say an IP range you can do that but need to do so manually in the deny_hosts.rules file.

I have to say running CPHulk I got daily emails (dozens and dozens) of brute force attacks on open ports. Scripts and bots are very busy.

Does that address your question?

BFD itself doesn’t block anything. It relies on a firewall like APF. BFD just detects brute force attacks and adds the IP to a firewall blacklist. Then it is up to your firewall to do the blocking. So however you have set your firewall (block, reject, drop) is how failures will be treated.

Hi

Many thanks, ipsets are quicker and use less resource then iptables, which I think the firewall can use, but it’s use is defined in the script.

I’m sorry if I have expressed my question too well

Many thanks

John

Well APF uses the iptables framework but not iptables itself. In fact iptables must be disabled; installed but disabled. It is my understanding APF is much faster than iptables. Thus IPs on the deny_hosts.rules list are much faster than iptables. However I am not an expert on APF.

Hi,
Why you dont have fail2ban in use? That tiny tool helps to solve this issue.
There are many filters and much more on github.
That tool supports iptables, apf, shorewall and so.

Hi

I’ve been thinking about this, and I’m not too sure if it’s just me, but I’ve been following our logs and were seeing connections which only last seconds, but always from different ip, which I don’t think are repeated, but I could be wrong sorry.

If this is correct, then any ip banning will have no effect anyway, but I’m thinking most would say better to have it.

It’s just my observation and thoughts.

Many thanks

John