Warning: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in ..../includes/class_bbcode.php on line 2962
Banning IP Addresses Permanently
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Banning IP Addresses Permanently

  1. #1
    Advisor beezlebubsbum's Avatar
    Join Date
    May 2004
    Location
    Australia
    Posts
    735

    Banning IP Addresses Permanently

    Hi all. Well, it had to happen at some time, but it appears as if my site has been hacked in some sort of way. My tag clouds were posting random Russian websites, instead of useful tags. I thought it was a little weird, and deleted the tags, but they reappeared about 2 hours afterwards. I had a look at my logs, because the CMS I use, e107, has a useful section where I can analyse who access my site. It turns out that e107 has managed to block a few IP addresses that have been pinging and accessing my site way too much in a short period (101 attempts in 10 seconds). I noticed that it actually banned the IP 66.249.71.154, then another IP address afterwards 66.249.71.226. Seems to me this was probably the same person, so now whenever someone who uses the IP address 66.249.71.* accesses the site, is is actually barred and given a message to go get screwed (the nice way of putting it). The only thing that I am worried about is that the IP address is only banned from accessing my e107 site, and not my entire server. Is there a way where I can ban an IP address range from using my site/server at all? In the meantime, I have actually disabled the tagcloud plugin of e107, as it seems that this is the current vulnerability. Any more tips, or suggestions is very welcome, as this is my first time dealing with a malicious user.
    My Website: http://ttgale.com
    My Website Uptime: http://img.uptimeprj.com/holastickbo...dee9bae2e2.png
    My Server Specs: AMD Athlon X2 3800+, 2gb DDR2 RAM, 1.5TB HDD, Ubuntu 9.10
    My Gaming PC: Intel Core 2 Duo 2.93ghz, 4gb DDR2 RAM, 9800GTX+

  2. #2
    Mentor jro's Avatar
    Join Date
    May 2004
    Location
    Pennsylvania, USA
    Posts
    1,206
    Are you the admin on the box, I mean, do you have FULL root access to the server? If so, a program I run on most of my external facing servers is DenyHosts. Its really cool for a couple of reasons.

    First, it monitors all incoming connections, if an IP address exceeds a specific threshold, say 100 connections in a minute, it places the IP on temporary ban list. If the IP continues to try and connect after being temp banned, it gets moved to a permanent ban list. The difference being that the temp ban list gets purged on a set time-table.

    Second, all bans happen on the hosts.deny level, so the service the IP is requesting isn't even bothered.

    Third, and probably greatest of all, is that the service communicates with a central server where others running HostsDeny share offending IP addresses. You can optionally download and also ban offending IP's others have permanently banned also.

    After this service runs for about a week, you will find there are VERY few unwanted connections coming through. I went from around 10,000 various malicious connection attempts a day to less than 5 per week.
    jro - http://jeff.robbins.ws
    Linux counter#:213782
    GnuPG ID: 406238E7

  3. #3
    Advisor beezlebubsbum's Avatar
    Join Date
    May 2004
    Location
    Australia
    Posts
    735
    wow, thanks for the info Jro! I do have full access to the server, its a self hosted site in my garage running on a ubuntu box. This is my first time anything malicious has ever happened, so I was pretty new on the whole situation. I am going to install the DenyHosts program now, looks like it will fit the bill perfectly.
    My Website: http://ttgale.com
    My Website Uptime: http://img.uptimeprj.com/holastickbo...dee9bae2e2.png
    My Server Specs: AMD Athlon X2 3800+, 2gb DDR2 RAM, 1.5TB HDD, Ubuntu 9.10
    My Gaming PC: Intel Core 2 Duo 2.93ghz, 4gb DDR2 RAM, 9800GTX+

  4. #4
    Mentor jro's Avatar
    Join Date
    May 2004
    Location
    Pennsylvania, USA
    Posts
    1,206
    Glad to help beez. Let me know if you run into any issues or questions as you get it setup. There were a few things that sent me for a loop at first that possibly I can shed some light on for you. Once you are up and running you will be amazed at how many IP's it starts banning from the shared lists.

    Just be careful too, I have accidentally banned my work IP's on a number of occasions when I forgot my password or was just messing around bouncing things off of it.
    jro - http://jeff.robbins.ws
    Linux counter#:213782
    GnuPG ID: 406238E7

  5. #5
    Advisor beezlebubsbum's Avatar
    Join Date
    May 2004
    Location
    Australia
    Posts
    735
    My problem wasnt so much things like my ssh or anything, but I had people dictionary attacking my actual website login form. I have my website behind 2 hardware firewalls, and the only open port is 80, all ssh and ftp are internal network only. I did install the program you recommended though, using Synaptic, and it started it as a daemon, so it was very easy (I was actually surprised). Thanks again for the help though.
    My Website: http://ttgale.com
    My Website Uptime: http://img.uptimeprj.com/holastickbo...dee9bae2e2.png
    My Server Specs: AMD Athlon X2 3800+, 2gb DDR2 RAM, 1.5TB HDD, Ubuntu 9.10
    My Gaming PC: Intel Core 2 Duo 2.93ghz, 4gb DDR2 RAM, 9800GTX+

  6. #6

    Banning IP Addresses Permanently

    Hi beez

    Please confirm if your website is redirected to some other pages, if yes please check the xfer log (ftp log) please see the files are altered,

    Regards
    P.saravanan

  7. #7
    Mentor jro's Avatar
    Join Date
    May 2004
    Location
    Pennsylvania, USA
    Posts
    1,206
    Hope it helps for you beez, you should browse through the config file, there are a lot of options that aren't setup by default.

    Welcome to the forums krishsarankumar. Not sure what you are recommending beez to do here, can you explain a bit more?
    jro - http://jeff.robbins.ws
    Linux counter#:213782
    GnuPG ID: 406238E7

  8. #8
    Hi

    If his website is redirected it may done by XSS attack all , it is done majorly through ftp only . If any one of the system having ftp access to server affected with Trojan

  9. #9
    Mentor jro's Avatar
    Join Date
    May 2004
    Location
    Pennsylvania, USA
    Posts
    1,206
    Quote Originally Posted by krishsarankumar View Post
    Hi, If his website is redirected it may done by XSS attack all , it is done majorly through ftp only . If any one of the system having ftp access to server affected with Trojan
    @krishsarankumar: Cross site scripting is not done through FTP. This sort of attack is done by foreign scripts (usually Javascript) running, or impersonating, another site via webpages. Tricking the user into divulging sensitive information. Beez is referring to people trying to brute-force attack their way into his e107 CMS system.

    Another idea you might try beez, rename the login page on the CMS system? Many times they are named 'login.php' or something thereof. As long as it doesn't break anything, you should try renaming that file to something off-the-wall (letmein,php), basically hiding it from the bot that is attacking your site. Security through obscurity!

    This is along the lines of what I do with SSH many times. Just run it on a different port, the bots don't bother scanning over 1024, so set it above that.
    jro - http://jeff.robbins.ws
    Linux counter#:213782
    GnuPG ID: 406238E7

  10. #10
    Hi

    yes it's done be browser cookie only, but most of the XXS Attucks are carried by stealing ftp account , so in most of the commercial web hosting software they are using ftps . If he is using a content management software e107 , To block the ip from he can use tcp wrapers that is the best

Similar Threads

  1. Trace IP Addresses
    By Davio in forum General Chat
    Replies: 2
    Last Post: 12-12-2007, 11:58 PM
  2. Router for a lan with public ip addresses
    By maybemedic in forum Linux - Hardware, Networking & Security
    Replies: 3
    Last Post: 01-14-2007, 09:00 AM
  3. ljr email addresses?
    By ndogg in forum Announcements and Suggestions
    Replies: 1
    Last Post: 05-14-2002, 10:56 PM
  4. Two IP addresses on one nic
    By kyiu in forum Linux - Hardware, Networking & Security
    Replies: 9
    Last Post: 03-04-2002, 12:53 PM
  5. Banning Outlook
    By x0xCRIZx0x in forum Linux - General Topics
    Replies: 5
    Last Post: 10-10-2001, 01:24 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •