To see whom has been trying to connect to your Debian (or Ubuntu) server, use:
cat /var/log/auth.log | grep "Failed"
This will list out the failed attempts, then add the successful with:
cat /var/log/auth.log | grep "session opened" | grep "LOGIN"
You can note the IP addresses for the unwanted attempts and block them with iptables, like this:
sudo iptables -I INPUT -s AAA.BBB.CCC.DDD -p tcp --dport ZZZ -j REJECT
Where the IP to block is "AAA.BBB.CCC.DDD" and the port is "ZZZ" as a number, so to block 192.168.0.1 on port 7000 you would do:
sudo iptables -I INPUT -s 192.168.0.1 -p tcp --dport 7000 -j REJECT
Instead of REJECT you can use DROP, and in place of tcp you can use udp and icmp protocols.
To block a whole subnet range I just do this:
sudo iptables -A INPUT -s AAA.BBB.CCC.000/AAA.BBB.CCC.255 -p tcp --dport ZZZ -j DROP
This makes all addresses in the range not respond, the range could have been 192.168.0.0/192.168.0.255, or you could block higher up the range like this 192.168.0.0/192.160.255.255, the first address range blocks just the last section subnet mask, the second blocks the last two sections of the subnet mask!
You can view the iptables in use with:
sudo iptables -L
Why Does This Exist?
Its not often I have to actually turn a server towards the outside world, my personal servers usually sit on my LAN and never route to the internet, like-wise the items I provision in the office are for internal use...
Yesterday however, I had the pleasure of being told to make a service available to the outside world...
No big deal, it's Apache2 on a Ubuntu host, set up done... And I only opened port 80 then left it... All was fine...
It has run for six hours... six... On a brand new acquired IP address, no-one but the recipient at the far end knows about the server being there, it has no DNS entry, it has no other services, just port 80 and ssh open...
Yes, I have had hacker, poking, security breach attempts from China, Vietnam, the British Virgin Islands, Canada, the Netherlands and Russia...
The mind boggles at quite how much hacking and infiltration is going on out there...
I've been checking the mainly ssh breach attempts with the command:
cat /var/log/auth.log | grep "Failed"
I run this to a file and then have a python script to log the IP addresses into a table for me, and I can then just block them individually or as a subnet range, though iptables.
I also check for successful logins just in case with:
cat /var/log/auth.log | grep "session opened" | grep "LOGIN"
I wonder however whether a python script to manage all this for me might be in order... Hmmm, project time!
No comments:
Post a Comment