my VPS provided didn't enable a lot of modules and that's why I can use a firewall(csf or apf) and dos deflate script
I need a simple script for it.
First,it has to call this: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n then there will be something like: Number : IP address 20 1.2.3.4 40 1.2.3.5 80 1.2.3.6 and then the bash script has to bann IPs with more than 30 connections(In our case: 1.2.3.5 and 1.2.3.6) with this: iptables -A INPUT -s IP_FOR_BLOCK -j DROP
for over a year now, with iptables. However recently, after upgrading to apache 2.2, the connections in netstat get listed as ipv6. A row can look like this for example:
As you can see, the remote ip address isn't complete, it's cut off, so the script used to sum up connections and insert into iptables isnt doing anything.
I then turned on the brute force protection cPanel provides, and it went down considerably from there. I'm not concerned at all about it (since the passwords are strong), but I would like to know the best way to determine abusive users (of SSH), and the best way to ban them.
Assuming the server does not have APF installed, or any particular control panel...
Getting these emails, several a day telling me that the server is banning its own allocated IP addresses. Can someone explain what on earth it could possibly be doing to ban its own IP's?
From - Thu Dec 20 16:50:47 2007 X-Account-Key: account3 X-UIDL: GmailId116f88c2a1c060ca X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: Delivered-To: myemail@gmail.com Received: by 10.90.78.14 with SMTP id a14cs288558agb; Thu, 20 Dec 2007 09:14:04 -0800 (PST) Received: by 10.142.177.7 with SMTP id z7mr183490wfe.47.1198170843836; Thu, 20 Dec 2007 09:14:03 -0800 (PST) Return-Path: <root@host.domain.com.br> Received: from server.domain.com.br (domain.com.br [xxx.xxx64.138]) by mx.google.com with ESMTP id m8si38592roe.1.2007.12.20.09.14.03; Thu, 20 Dec 2007 09:14:03 -0800 (PST) Received-SPF: pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) client-ip=xxx.xxx.64.138; Authentication-Results: mx.google.com; spf=pass (google.com: domain of root@server.domain.com.br designates xxx.xxx.64.138 as permitted sender) smtp.mail=root@server.domain.com.br Received: from root by server.domain.com.br with local (Exim 4.68) (envelope-from <root@server.domain.com.br>) id 1J5OyA-0004us-63 for root@server.domain.com.br; Thu, 20 Dec 2007 15:13:39 -0200 To: root@server.domain.com.br Subject: IP addresses banned on Thu Dec 20 15:13:39 BRST 2007 Message-Id: <E1J5OyA-0004us-63@server.domain.com.br> From: root <root@server.domain.com.br> Date: Thu, 20 Dec 2007 15:13:39 -0200 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server.domain.com.br X-AntiAbuse: Original Domain - server.domain.com.br X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12] X-AntiAbuse: Sender Address Domain - server.domain.com.br
Banned the following ip addresses on Thu Dec 20 15:13:38 BRST 2007
xxx.xxx64.138 with 151 connections
I have centos 4 / cpanel installed with apf / bfd yet the deny host rules for apf does not show the server IP's listed as banned.
I need to ban IP range and I inserted say ip 12.44.0.0 in the deny_hosts rules, this should ban range from 12.44 but strange is people from that range still be able to access my site, any idea what went wrong?
I want to stop users from country X from accessing my website, I know I can ban people's IPs but I dont know if it is possible to ban certain geographical area and if so, I haven't got a clue about how to do it.
I installed mod_security and the 403security rules on my VPS (Centos 4.1, Release version of WHM).
Several vBulletin files, including the ajax quick editor and some vbulletin.org add-ons are triggering this rule and banning members' IPs in CSF:
# Restrict witch content encodings we accept. # # TODO Most applications support only two encodings for request bodies # because that is all browsers know how to produce. If you are using # automated tools to talk to the application you may be using other # content types and would want to change the list of supported encodings. # # Note though that ModSecurity parses only three content encodings: # application/x-www-form-urlencoded, multipart/form-data request and # text/xml. The protection provided for any other type of encoding is # inferior. # # TODO There are many applications that are not using multipart/form-data # encoding (typically only used for file uploads). This content type # can be disabled if not used. # # NOTE We allow any content type to be specified with GET or HEAD # because some tools incorrectly supply content type information # even when the body is not present. There is a rule further in # the file to prevent GET and HEAD requests to have bodies to we're # safe in that respect. # # NOTE Use of WebDAV requires "text/xml" content type. # # NOTE Philippe Bourcier (pbourcier AT citali DOT com) reports # applications running on the PocketPC and AvantGo platforms use # non-standard content types: # # M-Business iAnywhere application/x-mal-client-data # UltraLite iAnywhere application/octet-stream # SecRule REQUEST_METHOD "!^(?:get|head|propfind|options)$" "chain, t:lowercase, deny,log,auditlog,status:501,msg:'Request content encoding is not allowed by policy',id:'960010',severity:'4'" SecRule REQUEST_HEADERS:Content-Type "!(?:^(?:application/x-www-form-urlencoded$|multipart/form-data;)|text/xml)" I don't know how to decipher this rule to know if just removing it is ok, or if it is serving an important purpose. During a couple hour period it was enabled, that rule only seemed to trigger false alarms.
The above was triggered with calls such as [uri "/forums/ajax.php?do=usersearch"] and [uri "/forums/newreply.php?do=postreply&t=11057"]
What I really don't understand is that I have an .htaccess in place to turn off mod_security for the /forums directory:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> I have also had this rule triggered today when someone tried to access : ...
I am experiencing a strange problem with iptables: after in activate them, they are gone in a few minutes. For example, I drop traffic from an ip and after few seconds, all rules are flushed without touching anything!
If I keep getting spam from a certain IP, can I add that IP to Iptables? Will it stop me receiving spam from that IP? I'm not quite sure how it all works.
Or what is the most effective method to stop spam?
EG_UDP_CPORTS="53,465,873,6277" Whenever I turn EGF to 1 my VPS locks me out of everything, I need togo into hyperVM to turn it off and restart my firewall.
What would cause this?
It's Fedora Core 5 on OpenVZ i've googled and cannot seem to find a reason why it would do that. Could be something in the host node kernel that may need adjusting?
Do you find iptables enough or do you use a hardware firewall for linux? I haven't used anything less than hardware firewalls for years but I gather than most simply rely on iptables. Is that a smart choice?
# iptables -D INPUT -s 25.55.55.55 -j DROP iptables v1.3.8: Couldn't load target `standard':/usr/local/lib/iptables/libipt_standard.so: cannot open shared object file: No such file or directory What is going on? The libipt_standard.so file is located in /lib/iptables, but not /usr/local/lib/iptables. I tried moving all of the libipt files into the /usr/local/lib/iptables directory, but I got segmentation errors.
[root@localhost ~]# service iptables status Firewall is stopped. [root@localhost ~]# service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: mangle filter [ OK ] Unloading iptables modules: ^[[A [ OK ] [root@localhost ~]# service iptables status Firewall is stopped.
it said iptables is stop...even I start manually...
I am not sure APF is running correctly because of iptables..
CSF dont ban the IP and if manually it is done I get following error. ---------------- csf -d 195.88.65.47 Adding 195.88.65.47 to csf.deny and iptables DROP... iptables: Index of insertion too big DROP all opt -- in !lo out * 195.88.65.47 -> 0.0.0.0/0 Error: iptables command [/sbin/iptables -v -I INPUT 2 -i ! lo -s 195.88.65.47 -j DROP] failed, at line 864 ------------------- Also iptables is not running on server. If status is checked it says its stopped.
I have many sites on my server I dont want to get any downtime.
Please let us know how can we fix this issue as soon as possible.
I have tried reinstall CSF but still the issue remains same.
I keep trying to flush my iptables on my linux server but every time i try to do so my server seems to freeze (i lose access and have to reboot it for it to come back online), how can I go about deleting those ips manually rather than executing the flushing command? what options do I have?
root@xxxx[~]# service iptables status Firewall is stopped. root@xxxx[~]# service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] root@xxxx[~]# service iptables status Firewall is stopped.