Feed your firewalls

So as a few of you know I’m this crusty old Sys Admin dude. I have a number of machines that I look after, and they are nearly all Linux machines. They are on pretty much twenty four seven, this site is an example of such an endeavor.

But the internet has a problem – it’s the continual attack on any machine (Mac, Windows Linux, Unix or something else) and any service that said machine might be running.

It’s not uncommon for someone to attempt to attack this machine every day. Probably the worst I’ve seen is about 30 thousand attempts in one day. Typically it’s about 1- 3 K,  and I have been whittling this number down …  there is a way to manage this.

1 Record what the offensive ip address are (auth log is your friend in this instance)
2 Add these offensive address to the firewall “or better” so that they will not ever have any access, even if it to just rattle the locks on the doors of your computers.

Typically the command, to block an ip address is something like this, it’s not a complex thing .

sudo iptables -A INPUT -s 10.1.1.1/32 -j DROP

People are concerned that one may block out legitimate traffic (and admittedly this is important, especially if you do accidentally add your own ip address!…. do you have physical access to the machine? a plan B?).  But don’t let me scare you, what I’m talking about is not complex (just take care!).

When you think about it there are 4,294,967,296 usable version 4 ip address. My current block list on this small machine is about 880 of these…. that is about 0.0000204891% of all available ip v4 address. It’s not much and my machine is rather low tech.

But the problem is routers. My own network is based on a router that is controlled by my isp. I don’t really have total control over this machine, but it would be good if I could manage that process a bit. But the isp says no – you can have 3 settings!

The up shot is, if I’m serious about security and running may own server from home … I have to manage the abuse from a machine level or add an additional router! ?

It would be better to manage it from a router level because then every machine behind that router / firewall would be protected. But we haven’t really made this jump. I also understand that segmenting the internet is not a good thing but I’m happy with my 0.0000204891 % reduction. I don’t feel bad about this.

 

 

Battling Digital Onslaught

A couple of times on this site I’ve mentioned some of the garbage that some ip address spit at my wee server. It’s interesting and frustrating especially when you think about how much people do or do not care.

Admittedly the people at AWS on occasion have constructively addressed the odd concern (but they do require lots of information inducing your time zone preferred type of porridge etc) But on the whole if you make a complaint to an ISP about the scanning or bs coming from an IP address you often never get a response.

So one approach is to just set up firewall rules and hope that the Aholes don’t come back via another address, but this does become a vexatious game of Whac-A-Mole.

I made this project public in 2018
https://github.com/nevetsanderson/sshfail

It is useful in that it on a day to day level can bring awareness to how much junk is rattling at your front doors. I remember telling a manager once about the number daily number attacks and he went rather pale in the face.

I hope that someone can find sshfail as a useful tool, even if it does turn managers pale.

Attack of the amazons!



Had a nasty attack from a bunch of amazon machines this moring attempting to brute force this little old wordpress installation of mine! Be interested if anyone else has a similar pattern occurring?

This is a list of the offending ip address all of which have all since been blocked. Have emailed the little bookshop, be interesting to see if they get back to me!

List of the nastys if anyone wants that info

18.219.238.104
18.221.168.153
18.222.237.188
18.224.71.171
3.128.28.102
3.129.248.175
3.140.194.158
3.140.244.237
3.141.36.174
3.14.146.203
3.141.6.25
3.143.24.78
3.144.131.230
3.144.170.151
3.144.201.27
3.144.216.162
3.14.5.120
3.145.42.95
3.14.66.5
3.15.190.45
3.15.193.0
3.17.147.229
3.17.165.220
3.17.173.148
3.17.70.252
3.18.108.221
3.84.49.179
52.14.6.71


Why it’s important to monitor logs

A while back I wrote sshfail. It’s a script to look at attempts on the ssh protocol on servers. You can find it up on git hub if your interested and want to install in your self. https://github.com/nevetsanderson/sshfail .

The interesting thing is that even if you use a non standard port to run ssh on (which is what this data relates to) it’s only a matter of time before modern hackers or bots or some Bs8dutard’s find that information and it gets propergated. Have a look at this raw data.

DateAttemptsips
1/3/20202828
1/4/2020239129
1/5/2020204125
1/6/2020337106
1/7/2020322167
1/8/2020386142
1/9/2020452195
1/10/2020273169
1/11/20205873197
1/12/20204346116
1/13/20208892191
1/14/20206192128
1/15/202000

As you can see things got ugly after about 11 days… from 28 to 5873 attempts on the server per day and within 2 weeks. Also worth considering is how did things go from weeks of no one being able to detect this, to 28 ip address suddenly finding my machine on the same day and then it increasing to 195 (Jan 3-9). I’d love to know what’s going on in the background. How is information is being propergated?

So as you can also observe on the 15 th, I changed the port and things have been have quiet since then but the issue is… If I hadn’t been observant and actually looked at the numbers then I’d be giving the bad guys a chance at reeking havok…

Stay safe out there people, and actually look at your log data!