Welcome to Centmin Mod Community
Become a Member

Sysadmin How to ban bad IPs?

Discussion in 'System Administration' started by Meirami, Oct 30, 2018.

  1. Meirami

    Meirami Member

    131
    21
    18
    Dec 21, 2017
    Ratings:
    +50
    Local Time:
    8:48 AM
    I'm using Logwatch to get nice report about yesterday's logs. (What do you think about it?) Sometimes there are IPs which are scanning through my ports aggressively. Like this:
    Code:
      From 46.161.27.81 - 172 packets                                         
           To 12.34.56.78 - 172 packets                                       
              Service: press (tcp/3582) (Firewall: *TCP_IN Blocked*) - 1 packet 
              Service: 4386 (tcp/4386) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 4592 (tcp/4592) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: perfd (tcp/5227) (Firewall: *TCP_IN Blocked*) - 1 packet 
              Service: 5617 (tcp/5617) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: spc (tcp/6111) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: statsci1-lm (tcp/6144) (Firewall: *TCP_IN Blocked*) - 1 pa
    +cket                                                                       
              Service: fisa-svc (tcp/7018) (Firewall: *TCP_IN Blocked*) - 1 packe
    +t                                                                           
              Service: 7541 (tcp/7541) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 7640 (tcp/7640) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 8017 (tcp/8017) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: admind2 (tcp/8403) (Firewall: *TCP_IN Blocked*) - 1 packet
              Service: npmp (tcp/8450) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 8479 (tcp/8479) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 8907 (tcp/8907) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 8938 (tcp/8938) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 8944 (tcp/8944) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 9573 (tcp/9573) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 9724 (tcp/9724) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 9730 (tcp/9730) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 9915 (tcp/9915) (Firewall: *TCP_IN Blocked*) - 1 packet   
              Service: 10356 (tcp/10356) (Firewall: *TCP_IN Blocked*) - 1 packet
    These are automatically blocked, but how can I ban the IP so it can't connect to open ports?

    What do you think about Aide, Psad and Tripwire? Should I use something like these? Or is Centminmod good enough without extra scripts and/or programs?
     
  2. eva2000

    eva2000 Administrator Staff Member

    41,720
    9,394
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,428
    Local Time:
    3:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That means CSF Firewall already blocked/banned access.

    You can specifically ban an ip in CSF Firewall see CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS but banned IPs also show Firewall: *TCP_IN Blocked* as an indicator so no different to what you're seeing right now.
     
  3. Meirami

    Meirami Member

    131
    21
    18
    Dec 21, 2017
    Ratings:
    +50
    Local Time:
    8:48 AM
    Yes, but is it just because the scanned ports are closed? If it scans port 80 or similar, is the connection from that ip blocked?
     
  4. eva2000

    eva2000 Administrator Staff Member

    41,720
    9,394
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,428
    Local Time:
    3:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  5. Meirami

    Meirami Member

    131
    21
    18
    Dec 21, 2017
    Ratings:
    +50
    Local Time:
    8:48 AM
    That's how I was thinking it too.
    Sorry my first message. I didn't write it clearly. Automatic ban system is the thing I'm looking for. :oops:
    Something like few knocks to closed ports and the IP is banned x amount of time.
     
  6. eva2000

    eva2000 Administrator Staff Member

    41,720
    9,394
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,428
    Local Time:
    3:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    CSF Firewall already blocks closed ports. Or do you mean opened ports ?
     
  7. Meirami

    Meirami Member

    131
    21
    18
    Dec 21, 2017
    Ratings:
    +50
    Local Time:
    8:48 AM
    Yes, I'd like to have a total ban to IPs which do portscanning. So the ip who scanned ports cannot connect to the server at all.
     
  8. eva2000

    eva2000 Administrator Staff Member

    41,720
    9,394
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,428
    Local Time:
    3:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    FYI, if you ban via CSF Firewall the IP, it's blocked from all open and closed ports
     
  9. Meirami

    Meirami Member

    131
    21
    18
    Dec 21, 2017
    Ratings:
    +50
    Local Time:
    8:48 AM
    Yes, I can do it manually. But I don't know how to make it happen automatically...
     
  10. eva2000

    eva2000 Administrator Staff Member

    41,720
    9,394
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,428
    Local Time:
    3:48 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Usually you don't need to as scans like though from bad actors would likely also trip up over CSF Firewall prompted ports like sshd etc and will be automatically banned anyway - which will bad them from the server. But you would still see the same message Firewall: *TCP_IN Blocked*.

    You could be preemptive and enable CSF Firewall blocklists which ban ips in known databases for spammers, port scanning ips etc see
    This would require KVM/XEN or dedicated servers which Centmin Mod would enable IPSET kernel level support to handle massive amount of IP addresses to ban in 10000s. OpenVZ VPS kernel doesn't support IPSET so wouldn't handle banning that many IP addresses. Without IPSET support, performance of server will suffer when you handling too many IP addresses to ban.

    Example from advanced blocklist additions
    Code (Text):
    # If you do not want to use Blocklist.de large IP list from second list for
    # BDEALL iptables chain name list, you can use one of these listings
    # for narrower set of IPs to block for specific attack types outlined
    # here http://www.blocklist.de/en/export.html
    # DO NOT enable second list BDEALL as well as duplicating IP blocks by
    # enabling below lists. Use second list OR one if the below narrower
    # lists NOT both
    
    #IP addresses which have been reported within the last 48 hours as
    #having run attacks on the service SSH.
    #BDESSH|86400|0|https://lists.blocklist.de/lists/ssh.txt
    
    #IP addresses which have been reported within the last 48 hours as
    #having run attacks on the service Mail, Postfix.
    #BDEMAIL|86400|0|https://lists.blocklist.de/lists/mail.txt
    
    #IP addresses which have been reported within the last 48 hours as
    #having run attacks on the service Apache, Apache-DDOS, RFI-Attacks
    #BDEAPACHE|86400|0|https://lists.blocklist.de/lists/apache.txt
    
    #IP addresses which have been reported within the last 48 hours
    #for attacks on the Service imap, sasl, pop3
    #BDEIMAP|86400|0|https://lists.blocklist.de/lists/imap.txt
    
    #IP addresses which have been reported within the last 48 hours
    #for attacks on the Service FTP.
    #BDEFTP|86400|0|https://lists.blocklist.de/lists/ftp.txt
    
    #IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server
    #and are inclueded in the IPs-List from http://www.infiltrated.net/
    #BDESIP|86400|0|https://lists.blocklist.de/lists/sip.txt
    
    #IP addresses which have been reported within the last 48 hours as
    #having run attacks attacks on the RFI-Attacks, REG-Bots, IRC-Bots
    #or BadBots
    #BDEBOTS|86400|0|https://lists.blocklist.de/lists/bots.txt
    
    #IP addresses older then 2 month & have more then 5.000 attacks.
    #BDESTRONGIPS|86400|0|https://lists.blocklist.de/lists/strongips.txt
    
    #IP addresses for ircbot
    #BDEIRCBOT|86400|0|https://lists.blocklist.de/lists/ircbot.txt
    
    #IP addresses which attacks Joomlas, Wordpress and other Web-Logins
    #with Brute-Force Logins
    #BDEBRUTEFORCE|86400|0|https://lists.blocklist.de/lists/bruteforcelogin.txt
     
    • Informative Informative x 1