Hallo
Ich habe ein großes Problem, das ich alleine nicht mehr lösen kann. Mein Problem ist, dass mein Webserver (Debian) immer attakiert wird. Ich merke das an der CPU Auslastung (100%, Dual Core) und wenn ich dann mit netstat -n nachschaue, sehe ich dort dann sehr oft eine ip die oft vor kommt. die kommt dann meißt von russland, israel usw.. wenn ich die ip dann mit iptables sperre ist kurz eine ruhe und dann gehts schon wieder weiter. es ist auch immer eine andere ip.
ich habe mir das script blockhosts installiert, dass automatisch alle 5 minuten durchläuft und die logs kontrolliert aber das hilft scheinbar nicht.
habt ihr vielleicht einen tipp für mich was ich besser machen kann? oder gibt es da noch etwas anderes außer blockhosts? gibt es keine eingebaute funktion der die ip sperrt wenn sie zu oft die seite aufrufen?
das ist die blockhosts.cfg
Ich habe ein großes Problem, das ich alleine nicht mehr lösen kann. Mein Problem ist, dass mein Webserver (Debian) immer attakiert wird. Ich merke das an der CPU Auslastung (100%, Dual Core) und wenn ich dann mit netstat -n nachschaue, sehe ich dort dann sehr oft eine ip die oft vor kommt. die kommt dann meißt von russland, israel usw.. wenn ich die ip dann mit iptables sperre ist kurz eine ruhe und dann gehts schon wieder weiter. es ist auch immer eine andere ip.
ich habe mir das script blockhosts installiert, dass automatisch alle 5 minuten durchläuft und die logs kontrolliert aber das hilft scheinbar nicht.
habt ihr vielleicht einen tipp für mich was ich besser machen kann? oder gibt es da noch etwas anderes außer blockhosts? gibt es keine eingebaute funktion der die ip sperrt wenn sie zu oft die seite aufrufen?
das ist die blockhosts.cfg
Code:
#-----------------------------------------------------------------------
# comments must begin in column 1, like this line.
# /etc/blockhosts.cfg : make it writeable when you need to update
# this file, otherwise should be set to readonly for everyone,
# for security. Note that new installs/upgrades may also overwrite this
# file, save a copy if this is modified locally
# ----------------------------------------------------------------------
# BE CAREFUL UNCOMMENTING - if done incorrectly, scripts will not start up.
# The best way to uncomment is to just remove or add the single character #
# from the appropriate lines, and if needed, edit the line
# ----------------------------------------------------------------------
# Starting with BlockHosts 2.0.2, this config file is now required to
# read in the regular expressions to search for access failures in the
# log files. This file can also be used to provide arguments
# to a run of blockhosts.
# To make changes, copy the assignment line you need to change, change
# the value and remove the # character from column 1 to uncomment it
# Follow python string/list/dict constant expression syntax, as shown in the
# exmple lines. All strings should be enclosed with python-style quotes.
# python experts: script uses eval() to parse all the values specified here.
#-----------------------------------------------------------------------
[common]
# common section is variables that may be used by main program, mail, etc
HOSTS_BLOCKFILE = "/etc/hosts.allow"
# the name of the block-file on your computer - usually hosts.allow or
# hosts.deny, see "man 5 hosts_access" for details on these files.
# default is hosts.allow
HOST_BLOCKLINE = ["ALL: ", " : deny"]
# the line to output, with Host Ip Address in between the strings above,
# to turn on blocking of that IP address. Must have 2 strings in list.
#VERBOSE = Log.MESSAGE_LEVEL_ERROR #-> error (same as --quiet option)
#VERBOSE = Log.MESSAGE_LEVEL_WARNING #-> warning (default)
#VERBOSE = Log.MESSAGE_LEVEL_NOTICE #-> notice
VERBOSE = Log.MESSAGE_LEVEL_INFO #-> info (same as --verbose option)
#VERBOSE = Log.MESSAGE_LEVEL_DEBUG #-> debug (same as --debug option)
# logging message levels - each level includes all levels above it
#-----------------------------------------------------------------------
[filters]
# filters section defines configuration for filtering watched hosts
# into the blocked hosts list
COUNT_THRESHOLD = 7
# number of invalid attempts after which host is blocked
# note that actual denial make take one or more attempts - depends on the
# timing of when LOGFILES are updated by the system, and when this script
# gets to run
AGE_THRESHOLD = 12
# number of hours after which host entry is discarded from hosts.deny
# 24 -> one day, 168 -> one week, 720 -> 30 days, integer values only
# most attackers go away after they are blocked, so to keep hosts.deny
# file size small, no reason to make this any more than, say, half-a-day
WHITELIST = [ "127.0.0.1", ] # default
#WHITELIST = []
WHITELIST = [ "127.0.0.1", "10\.0\.0\..*", ]
# A list of IP (IPv4) addresses or regular expressions that represent
# a IP (IPv4) address - this is the list of white-listed IP addresses.
# When considering IPs to block, if a IP address maches any item in this
# list, then it will be removed from the block list - so won't be blocked.
#BLACKLIST = [] # default
#BLACKLIST = [ "192.168.10.1", "10\..*", ]
# A list of IP (IPv4) addresses or regular expressions that represent
# a IP (IPv4) address - this is the list of black-listed IP addresses.
# When considering IPs to block, if a IP address maches any item in this
# list, then it will be immediately added to the block list, even if
# COUNT_THRESHOLD may not have been reached.
# IP addresses directly specified in this list without a regular expression
# will be immediately added to the blocked list.
# WHITELIST takes precedence over BLACKLIST - so a match in both will mean
# it is white-listed.
#-----------------------------------------------------------------------
[blockhosts]
# blockhosts section defines the log files to scan and patterns to look for
LOGFILES = [ "/var/log/secure", ] # default
LOGFILES = [ "/var/log/auth.log", ]
#LOGFILES = [ "/var/log/secure", "/var/log/vsftpd.log", ]
# default list of logs to process, comma separated, can follow Python
# syntax, should be a sequence (list or tuple) of strings representing
# filenames: 1 or more files, default is single file: /var/log/secure
LOCKFILE = "/tmp/blockhosts.lock"
# need create/write access to this file, used to make sure only one
# instance of blockhosts.py script writes the HOSTS_BLOCKFILE at one time
# note that the mail/iptables/iproute parts of the program do not serialize
#---------------
# ALL_REGEXS_STR:
# Modify this if you need to match some other lines in your system logfiles,
# other than for OpenSSH sshd, proftpd, vsftpd, etc, which are built-in.
# The regexps should contain a P<host> to make a named match for the IP
# address, no other P<> is required.
# Use this if you need to match additional lines or services to block
# IP addresses based on lines in the system logs.
# The value for this is a python dictionary, key is a string to label the
# regular expression, choose any unique string, and value is the regular
# expression string.
# In the defaults below, the given key values match the following examples:
# SSHD:
# Jul 19 06:47:27 hostname sshd[1768]: Invalid user xxx from 10.10.58.3
# Nov 15 04:57:19 hostname sshd[1668]: Illegal user yyy from ::ffff:10.6.184.165
# Oct 4 12:04:50 hostname sshd[1110]: [ID 800047 auth.info] Illegal user slime from 192.168.102.101
# Jul 19 06:58:23 hostname sshd[2821]: User root from 10.10.58.3 not allowed because none of user's groups are listed in AllowGroups
#Apr 20 12:34:30 hostname sshd[9701]: Failed password for invalid user root from 10.21.45.30 port 35993 ssh2
# ProFTPD:
# May 29 22:38:10 hostname proftpd[28865]: hostname (10.0.0.1[10.0.0.1]) - USER validuser (Login failed): Incorrect password.
# May 29 22:40:20 hostname proftpd[28879]: hostname (10.0.0.1[10.0.0.1]) - USER aaa: no such user found from 10.0.0.1 [10.0.0.1] to 10.0.0.1:21
# May 30 07:31:55 hostname proftpd[1450]: hostname (10.0.0.1[10.0.0.1]) - SECURITY VIOLATION: root login attempted.
# VSFTPD:
# Jun 23 17:03:04 hostname vsftpd[25249]: Sat Jun 23 15:03:04 2007 [pid 25249] [anonymous] FAIL LOGIN: Client "10.102.1.8"
# vsftpd.log - uses different timestamp, unlike one from syslog:
# Fri Jan 21 15:56:57 2005 [pid 6726] [test] FAIL LOGIN: Client "10.204.30.15"
# Pure-FTPd
# May 17 16:13:29 hostname pure-ftpd: (?@10.10.199.69) [WARNING] Authentication failed for user [username]
# Note: pure-ftpd logs FQDN, which blockhosts cannot work with.
# Use the -H or --dontresolve option of pure-ftpd to make it log IP addresses.
# Solaris 10 ftpd -----------------------
# Mar 23 16:52:51 hostname ftpd[1322]: [ID 122736 daemon.info] failed login from 192.168.102.34 [192.168.102.34], [unknown]
# Apr 16 17:01:19 hostname ftpd[18088]: [ID 122736 daemon.info] failed login from aa2003050453007.ccc.ddd.eeee.us [10.5.66.10], [unknown]
# ipop3d POP3 -----------------------
# ipop3d Aug 18 16:27:38 hostname ipop3d[2540]: Login failed user=username auth=username host=badhostname [10.3.32.17]
# Dovecot POP3 -----------------------
# Feb 19 15:40:23 hostname pop3-login: Aborted login [::ffff:10.238.200.11]
# Qpopper POP3 -----------------------
# Mar 24 11:49:56 hostname qpopper[16765]: abraham at adsl-10-49-203-118.dsl.sbcglobal.net (10.49.203.118): -ERR [AUTH] Password supplied for "abraham" is incorrect.
# Postfix/smtpd ----------------------
#Jul 21 18:42:30 hostname postfix/smtpd[15919]: NOQUEUE: reject: RCPT from host2.example.com[10.108.1.1]: 550 5.1.1 : Recipient address rejected: User unknown in virtual alias table; from=<> to= proto=ESMTP helo=
# Sep 13 13:02:42 hostname postfix/smtpd[25355]: warning: 10.108.1.2: address not listed for hostname ds1.example.com
# Sep 12 15:59:01 hostname postfix/smtpd[7385]: warning: unknown[10.108.1.3]: SASL PLAIN authentication failed: authentication failure
# Sep 12 15:59:01 hostname postfix/smtpd[7385]: warning: unknown[10.108.1.4]: SASL LOGIN authentication failed: authentication failure
# Sep 25 01:37:31 hostname postfix/smtpd[6961]: warning: 10.108.1.5: hostname host-10-98-234-178.example.com verification failed: Name or service not known
# Sep 26 00:17:06 hostname postfix/smtpd[3457]: warning: non-SMTP command from 10-224-32-204.example.com[10.108.1.6]: Subject:10.245.3.95
#--- ALL_REGEXS - a dict where key is id of pattern, value is pattern
# - make sure each uncommented rule is in a single line (no line breaks)
# - if you add a rule, add a id for the rule - a string, like
# "proftpd-NoUser" as key (use servicename-word as pattern for id, with
# no "-" (dash) in final word), and then the r'pattern' as value.
# - each pattern should use (?P<host>) to identify the IP4 IP-address of
# host to watch for blocking
# - Follow exact spaces and layout of other rules here, to add new rules
# --- to prevent most types of log injection attacks, match entire lines
# as much as possible, with no complete wildcards at beginning or end
# In many cases, matching just beginning or end may be sufficient.
# ^[^[]+?sshd will only match sshd[] lines, ignoring other processes
# assume hostname and date (which begin a syslog line) don't contain [
# ALL_REGEXS lines are unique-name-for-pattern: pattern
# pattern must contain {HOST_IP} keyword to identify remote host IP address
# pattern may contain {LOG_PREFIX{service_name}} keyword to
# denote syslog/metalog/multilog prefix at the beginning of a log line.
# service_name is a string representing name of service in the prefix of
# the log lines in syslog, for example service_name may be 'sshd' or
# 'vsftpd(pam_unix)' - without the single quotes.
# The log prefix does not include the trailing space, and always matches at
# beginning of line.
# Examples of LOG_PREFIX matches (the / delimiter is not part of match):
# matched by {LOG_PREFIX{vsftpd(pam_unix)}} :
# /Dec 25 21:18:58 host vsftpd(pam_unix)[21989]:/
# matched by {LOG_PREFIX{xinted}} :
# /Oct 18 04:21:52 host xinetd[3316]:/
# matched by {LOG_PREFIX{sshd}} :
# /Oct 4 12:04:50 host.example.com sshd[1110]: [ID 800047 auth.info]/
# In all examples above, the : after the [pid] is optional.
# matched by {LOG_PREFIX{sshd}} :
# /Dec 17 11:57:08 [sshd]/
# matched by {LOG_PREFIX{pure-ftpd}} :
# /May 17 16:13:29 servername pure-ftpd:/
# {HOST_IP} matches IP address, either of :
# /100.200.30.40/
# /::ffff:100.200.30.40/
# While ALL_REGEXS contains all the rules, ENABLE_RULES defines
# which patterns to enable in blockhosts. This is a regular expression
# that is used to match the enabled keys (names) in ALL_REGEXS
# As long as beginning of pattern name matches the ENABLE_RULES
# regular expression, that pattern will be enabled.
#ENABLE_RULES = r'(?i)(sshd|.*ftpd).*' # default (?i) for IGNORECASE matching
#ENABLE_RULES = r'.*' # use this to enable all rules
ALL_REGEXS = { # NOTE: see ENABLE_RULES definition also, not all rules enabled
"sshd-Invalid":
r'{LOG_PREFIX{sshd}} (Invalid|Illegal) user .* from {HOST_IP}',
"sshd-NotAllowed":
r'{LOG_PREFIX{sshd}} User .* from {HOST_IP} not allowed because none of user\'s groups are listed in AllowGroups$',
"sshd-Fail":
r'{LOG_PREFIX{sshd}} Failed .*? for (invalid user |illegal user )?.* from {HOST_IP}',
"proftpd-NoPassword":
r'{LOG_PREFIX{proftpd}} [^[]+\[{HOST_IP}.+Login failed',
"proftpd-NoUser":
r'{LOG_PREFIX{proftpd}} [^[]+\[{HOST_IP}.+no such user',
"proftpd-SecurityViolation":
r'{LOG_PREFIX{proftpd}} [^[]+\[{HOST_IP}.+SECURITY VIOLATION',
"vsftpd-FailSyslog":
r'{LOG_PREFIX{vsftpd}} .* FAIL LOGIN: Client "{HOST_IP}"$',
# vsftpd.log line, uses different prefix, so no LOG_PREFIX used below:
"vsftpd-FailVsftpd":
r'... ... .?\d \d\d:\d\d:\d\d \d{4} .* FAIL LOGIN: Client "{HOST_IP}"$',
"pure-ftpd-Fail":
r'{LOG_PREFIX{pure-ftpd}} \(\?@{HOST_IP}\) \[WARNING] Authentication failed',
"ftpd-Solaris":
r'{LOG_PREFIX{ftpd}} failed login from .* \[{HOST_IP}],',
"ipop3d-Fail":
r'{LOG_PREFIX{ipop3d}} Login failed .* \[{HOST_IP}]',
"dovecot-LoginFail":
r'{LOG_PREFIX{pop3-login}} Aborted login \[{HOST_IP}]',
"qpopper-Fail":
r'{LOG_PREFIX{qpopper}} .* \({HOST_IP}\): -ERR \[AUTH] Password supplied ',
"postfix-smtpd550":
r'{LOG_PREFIX{postfix/smtpd}} NOQUEUE: reject: RCPT from .*?\[{HOST_IP}]: 550 5.1.1 : Recipient address rejected: User unknown in virtual alias table;',
"postfix-smtpdInvalidHostname":
r'{LOG_PREFIX{postfix/smtpd}} warning: {HOST_IP}: address not listed for hostname ',
"postfix-smtpdInvalidId":
r'{LOG_PREFIX{postfix/smtpd}} warning: unknown\[{HOST_IP}]: SASL (LOGIN) authentication failed: authentication failure$',
"postfix-smtpdServiceUnknown":
r'{LOG_PREFIX{postfix/smtpd}} warning: {HOST_IP}: hostname .* verification failed: Name or service not known$',
"postfix-smtpdNonSMTPCommand":
r'{LOG_PREFIX{postfix/smtpd}} warning: non-SMTP command from .*\[{HOST_IP}]: Subject:',
}
#-----------------------------------------------------------------------
[mail]
# e-mail configuration
#MAIL = False # (default)
#MAIL = True
# Whether to enable e-mail sending. If set to True, will send email at
# end of the block-hosts run, if any error/warning/notice printed out
# in the log. Note that --quiet will impact this - if --quiet is
# in effect, only error messages will trigger a email.
#NOTIFY_ADDRESS = 'root@localhost.localdomain'
# Email address to send the messages to.
# All of the following are SMTP required variables, SMTP is used to send
# email; this is necessary only if using the mail functionality
#SMTP_SERVER = "localhost"
#SENDER_ADDRESS = 'BlockHosts <blockhosts-do-not-reply@localhost.localdomain>'
#SMTP_USER = ''
#SMTP_PASSWD = ''
# If smtp_user and passwd is empty, no authentication is necessary
#-----------------------------------------------------------------------
[ipblock]
# ipblock section for enabling protection using TCP/IP level blocking -
# by using null routes, or iptables filtering, all network communication
# is stopped from a particular IP address
# Values that can be assigned to IPBLOCK - can be iptables or iproute,
# or full path to iptables or ip commands.
IPBLOCK = "iptables" # (default)
#IPBLOCK = "ip route" # or use full path "/sbin/ip route"
#IPBLOCK = "iptables" # or use full path "/sbin/iptables"
# "ip route": Do TCP/IP blocking using route commands to setup null-routes.
# ip route add <ip-addr> via 127.0.0.1
# "iptables": Do TCP/IP blocking, using iptables packet filtering.
#-----------------------------------------------------------------------