Auto block Hacker

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Auto block Hacker

Postby akmayuga » Tue May 15, 2012 8:21 am

hi guys,
does this code also works here??
thanks.

Code: Select all
Dependencies
1.Iptables
2.postfix/sendmail ( for email alert)


step 1

1.login to your server via ssh
2. go to cd /usr/src/
3. vi scan-secure.sh
4. copy and paste the below script there

    #!/bin/sh

    # scan /var/log/secure for ssh attempts
    # use iptables to block the bad guys

    # Looking for attempts on existing and non-existing users. For example:
    # Nov 2 22:44:07 pbxer sshd[28318]: Failed password for root from 74.143.42.70 port 52416 ssh2
    # Nov 3 00:06:57 pbxer sshd[31767]: Failed password for invalid user mat3 from 192.203.145.200 port 35841 ssh2

    tail -1000 /var/log/secure | awk '/sshd/ && /Failed password for/ { if (/invalid user/) try[$13]++; else try[$11]++; }
    END { for (h in try) if (try[h] > 4) print h; }' |
    while read ip
    do
    # note: check if IP is already blocked...
    /sbin/iptables -L -n | grep $ip > /dev/null
    if [ $? -eq 0 ] ; then
    # echo "already denied ip: [$ip]" ;
    true
    else
    echo "Subject: denying ip: $ip" | /usr/sbin/sendmail urmailid@gmail.com
    logger -p authpriv.notice "*** Blocking SSH attempt from: $ip"
    /sbin/iptables -I INPUT -s $ip -j DROP
    fi
    done

5. type chmod 755 /usr/src/scan-secure.sh
6. make entry in the cron to run in every one or two minutes
crontab -e
* * * * * /usr/src/scan-secure.sh
7. now start the iptables
/etc/init.d/iptables restart

to check for the blocked hackers ip
type iptables -L -n
Vicibox 64-bit
Asterisk v.1.4.39.2-vici
ViciBox Redux v.5.0.2-130807
preload iso installation
No Digium/Sangoma Hardware
No Extra Software After Installation
single server
akmayuga
 
Posts: 56
Joined: Thu Apr 19, 2012 1:53 pm

Re: Auto block Hacker

Postby DomeDan » Tue May 15, 2012 9:13 am

No, because OpenSuSE v.11.3 does not use the /var/log/secure file
failed ssh-attempts are logged in /var/log/messages like this:
"May 15 15:37:17 serverhost sshd[1267]: error: PAM: Authentication failure for username from 192.168.0.1"

so you can rewrite the script, or install something else like denyhosts or Fail2ban
Vicidial Partner. Region: Sweden/Norway.
Does Vicidial installation, configuration, customization, add-ons, CRM implementation, support, upgrading, network-related, pentesting etc. Remote and onsite assistance.
Email: domedan (at) gmail.com
DomeDan
 
Posts: 1226
Joined: Tue Jan 04, 2011 9:17 am
Location: Sweden

Re: Auto block Hacker

Postby akmayuga » Tue May 15, 2012 11:12 am

hi DomeDan,

i will search about this denyhosts and Fail2ban..

thank you....
Vicibox 64-bit
Asterisk v.1.4.39.2-vici
ViciBox Redux v.5.0.2-130807
preload iso installation
No Digium/Sangoma Hardware
No Extra Software After Installation
single server
akmayuga
 
Posts: 56
Joined: Thu Apr 19, 2012 1:53 pm


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 123 guests