Apache IP Trapping/Blocking Bad Bots and hackers

They have: 8 posts

Joined: Apr 2005

Hello,
I have a dedicated server and recieve my server log files every morning.
what I have been seeing is people trying to get access to my server through sshd. Mad they are using multiple names and passwords and probably brute force apps. Mad
I am new at running a dedicated server and need to block these people.

What I really want to do is setup a php app or configure apache so it will automaticly stop these people & block thier IP.
I have heard of php code that can be setup as a speed trap so if someone uses a offline browser agent to raid a site it blocks thier IP

I realize it isn't the exact same process but could use some help on how to setup a IP trap that would automaticly block these people and also give me the ability to see who has been blocked.

also is there an easy way to block whois.sc on a global basis in apache to keep it off all my sites? I think some of the people trying to get into my server may be coming from there.
I would think it would be the same process that would be used to stop & block the people who are trying to get into my server.

I have looked for info on this but all I found was info on how to block IP's using http.cfg but that wouldn't stop them before it happenned only after.

I would really appreciate some help and advice on how to control this.

Thanks for your help

Data2050

Busy's picture

He has: 6,151 posts

Joined: May 2001

Sorry not sure how to solve your problem but you do need to be careful blocking by IP, especially if you plan to block by IP range as most attacks would be coming from proxie servers. ALso what you do with the bad bots etc, if you send them round in circles or give them fake lists or a never ending file to suck on, you're using up what can be valuable resources that could be used better else where.

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

Data2050 wrote: Hello,
what I have been seeing is people trying to get access to my server through sshd. they are using multiple names and passwords and probably brute force apps.

Neither Apache or PHP can block SSH attacks, separate program, separate port. All they could do is block access to your site.

What kind of OS?

If Linux, you can use IP Tables

If FreeBSD, you can use IPFW or IPFILTERS to firewall and alternately drop any packets coming from a certain IP address or block.

Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

Do be careful when setting up Firewall rules particularly on a remote computer, since you could potentially lock yourself out.

He has: 57 posts

Joined: Apr 2005

If you are having trouble, I used webmin to set up all of my firewall stuff (webmin.org). You should just allow ssh access from one IP, that is what I would do in that situation.

mairving's picture

They have: 2,256 posts

Joined: Feb 2001

cpellizzi wrote: If you are having trouble, I used webmin to set up all of my firewall stuff (webmin.org). You should just allow ssh access from one IP, that is what I would do in that situation.

I wouldn't really suggest that. Most of us don't have a fixed IP address. If you set it up to allow access from your cable connection and then that address changed, you would be locked out. Since you can't physically go to the server, you would have to get your host to reset it.

A better option which is the default in BSD is to not allow root access via SSH. This way someone can hammer away at the root password all day long and even if they guessed it, still not get in. Use a username that is not easy to determine either and go su (superuser) if you need to do something as root.

Mark Irving
I have a mind like a steel trap; it is rusty and illegal in 47 states

He has: 57 posts

Joined: Apr 2005

mairving wrote: I wouldn't really suggest that. Most of us don't have a fixed IP address. If you set it up to allow access from your cable connection and then that address changed, you would be locked out. Since you can't physically go to the server, you would have to get your host to reset it.

A better option which is the default in BSD is to not allow root access via SSH. This way someone can hammer away at the root password all day long and even if they guessed it, still not get in. Use a username that is not easy to determine either and go su (superuser) if you need to do something as root.

Yes, that is true. I have a fixed IP, so I kind of forgot that most people don't...

They have: 8 posts

Joined: Apr 2005

thanks for the info, I agree setting a fixed IP address for admin wouldn't work.
I have found this http://www.pettingers.org/code/SSHBlack.html
I have heard using hosts.deny will help but not completly.
any comments on this?

Thanks
Data2050

He has: 1,758 posts

Joined: Jul 2002

Have a look into something called portknocking. It makes it impossible to login without first "knocking" a special combination of ports before you login. It would probably get tedious but I've heard it really makes it tough for people to get in.

Info here: http://www.portknocking.org/

Andy

They have: 8 posts

Joined: Apr 2005

andy206uk wrote: Have a look into something called portknocking. It makes it impossible to login without first "knocking" a special combination of ports before you login. It would probably get tedious but I've heard it really makes it tough for people to get in.

Info here: http://www.portknocking.org/

Hi andy206uk,
I looked at portnocking and found they said this:

Applicability
Port knocking is a suitable form of hardening hosts that house users who require continual access to services and data from any location and that are not running public services, such as SMTP or HTTP . Port knocking is used to keep all ports closed to public traffic while flexibly opening and closing ports to traffic from users who have authenticated themselves with a knock sequence.

So if I understand what they are saying Port knocking shouldn't be used on a webserver running public services, such as SMTP and HTTP because of the ports SMTP and HTTP use.

Thanks,
Data2050

They have: 8 posts

Joined: Apr 2005

I have been doing some research on this and from what I have found I can use the hosts.allow file and allow the block of IP's I would get from my ISP. From what I understand once that block of IP's (3 or 4 lines of code) is in the hosts.allow file nobody could access SSH from an IP not in that block. I have also read there are different apps that will monitor SSH port 22 and will write an IP to the iptable, people which have either tried multiple logins in either a specified time frame or x amount of login failures will end up with thier IP added to the IP table and they won't be able to waste system resources.
Using this should provide dual security on SSH with autoblocking features.

Data2050

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.