To automatically block Brute-Force Attacks reported by Directadmin we will be using some scripts by Directadmin.
PLEASE NOTE: Be careful with this tutorial and use it at your own risk. The first commands will block your ssh access to server if you are not using the default ssh port 22. To allow your modified port number for ssh modify the iptables files accordingly. Also, this file is written for a CentOS/Fedora type system and has not been tested on Debian or FreeBSD
First we are going to backup current iptables rules file & download a
custom iptables rules file from DirectAdmin.
cd /etc/init.d mv iptables iptables.backup wget http://files.directadmin.com/services/all/iptables chmod 755 iptables
You'll want to test this out to ensure it works for you:
service iptables restart
to make sure you can still connect to everything ok. If not, you may need to head to the datacenter to shut it off.
Now let's install the block_ip.sh so you can create a file that lists the IPs to be blocked.
cd /usr/local/directadmin/scripts/custom wget http://files.directadmin.com/services/all/block_ip.sh wget http://files.directadmin.com/services/all/show_blocked_ips.sh wget http://files.directadmin.com/services/all/unblock_ip.sh chmod 700 block_ip.sh show_blocked_ips.sh unblock_ip.sh
Remember to create the empty block list and exempt list files:
touch /root/blocked_ips.txt touch /root/exempt_ips.txt
This should activate the button in DA at:
Admin Level -> Brute Force Monitor -> IP Info -> Block IP
This particular block_ip.sh script will check to ensure that the IP you're blocking does not already exist in the list.
It will also generate the output from "iptables -nL" which should show
you everything that is current blocked in the list. (iptables -nL is
also output in the event the IP is already blocked, so you can see your
iptables list without doing anything)
This last step should only be used after you've tested the above setup for a while to get comfortable that you're not going to block yourself. The block_ip.sh is only used for an active "click" by the Admin, it does not automate blocking. To automate blocking, install the following script
cd /usr/local/directadmin/scripts/custom wget http://files.directadmin.com/services/all/brute_force_notice_ip.sh chmod 700 brute_force_notice_ip.sh
That's it. If you are using any other services like squid or openvpn be sure to modify the iptables rules file and restart the iptables service for the changes to be effective.
I'm Arash Milani, hacker & happiness ninja.
@narmand is our teams's lab to experiment awesome things in it.
I write and talk about hacking, developing web apps, teamwork and designing for better user experience.
You can always contact me via me[at]arashmilani.com email address.
Comments
Thanks Arash.
The easiest method to block such attacks is by blacklisting the IPs that carry out such abuses, many hosting providers have added Brute Force Attacks protection in their added security features.
For more information about these attacks read: http://www.cloudways.com/blog/what-is-brute-force-attack/
Any thoughts? Please leave a reply