Automated static blacklisting for tcp services
There are soooo many hacked computers on the word, looking trough the logs becomes a real problematic chore... The simplest way to solve this problem is blacklisting servers you don't want.
If you look it up on the internet, you will find most of the solutions are done inside iptables. Although this is a good solution, if you want to define your own list you will run into problems with the length. Doing this for 200 hosts in flat iptable rules is not a good idea and not even always possible (Virtual hosting often has limitations like this). The correct way of handling blacklists like this is using the iptables specialized modules. But these modules need to be installed to get them to work.
So, my choice is the /etc/hosts.deny file. You can find more information on the syntax in hosts.deny(5).
Although specialized pacakages are mostly the right way to go (see things like failure to ban), you can also choose to create your own tools. The text processing needed is simple enough to get you going with only a few scripts. Firstly, we keep a list of blacklisted and whitelisted ips. This list contains an ip and either "w" or "b" per line. w for whitelisting, b for blacklisting (duh).. So, first add us and a few friends as whitelisted:
823.123.155.6 w
823.133.135.6 w
823.143.135.6 wNow for the blacklisting, we create a script to ease the pain of adding ips;
#!/bin/sh
grep "$1" /etc/black.list || echo "$1 b" >> /etc/black.listSaving this as "ban" in the PATH somewhere and making it executable will make sure that we don't add blocking for ip's already mentioned in the list. This helps, because it protects us from blacklisting an already whitelisted ip.
So, now lets fill the list (use cron to do this every now and then):
#!/bin/sh
for ip in `egrep 'Failed password for invalid user (root|mysql) from' /var/log/auth.log |egrep -o '[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?'|sort --unique`; do
/root/bin/ban $ip
done;
for ip in `egrep 'Nasty PTR record' /var/log/auth.log |egrep -o '[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?'|sort --unique`; do
/root/bin/ban $ip
done;The above code will read the access log and get any ip which wants to log in as root or mysql and ban it. Then anybody sending us "Nasy PTR records" in packets are also blocked. Make sure you are testing the right config line, "Failed password for invalid user" will only occur if you have sshd configured with AllowGroups set. So test you regular expressions before using them.
Ok, so we keep a list.. now to act on it. To add this to hosts.deny, we need to make sure it doesn't interfere with our other configuration. So we start out with creating a template:
cp /etc/hosts.deny /etc/hosts.deny.templateAnd now, automatically add the rule to block the blacklisted people:
#!/bin/sh
cat /etc/hosts.deny.template > /etc/hosts.deny
egrep 'b$' /etc/black.list|egrep -o '^[^ ]+'|xargs -n 100 echo 'ALL:' >> /etc/hosts.denySave the above code and make it executable again. A good name would be update-hosts.deny.
So, what will happen if we run all of these scripts?
1. Grepping the access.log will generate a list of ips to ban, and ban them if needed.
2. Use the update-hosts.deny script to create a rull stating "Block everything from the blacklisted ips"
And your done. If you want, you can take a look at the hosts.deny syntax and figure out if you want to do ALL there (maybe only something like ssh or such). Also note that not all servers will adhere to this log. Some systems don't look to /etc/hosts.deny for their access control (although it would probably be better if they did).
Update 2008-02-11: added -n 100 to xargs to keep the hosts.deny lines to a maximum of 100 ips per line
Update 2008-02-15: added mention of AllowGroups needed if you use the "invalid user" line