Articles‎ > ‎Homemade Software‎ > ‎

Block scripted hacking

Problem: When I look through my logs, I see lots of apparent scripting hacking attempts
Situation: I have a pretty good firewall and work to practice secure computing, but it still irritates me to see all the attempts and I worry that what I don't see will be the effective next step that I didn't prepare for
Solution: I run a couple tools that block potential hackers when the attempts start happening.

First, I use a good firewall. That's pretty essential, but I do want a few services exposed to the Internet and those include web pages and ssh access. I keep my software up to date, try to ensure that what I do myself is carefully designed to prevent hacking and use good passwords. Just to add an extra level of security, I don't even allow root to log in remotely via ssh. I try to avoid running anything with a strong potential security risk like phpmyadmin.

As a result, when my logs show attempts to access my website at /phpmyadmin or such, or they show repeated attempts to log into ssh with invalid usernames, I know I'm seeing a hacking attempt and the odds are that it wouldn't get in anyway.

Yet it annoys me.

I added some software called "fail2ban" which keeps an eye on attempted logins and temporarily bans any IP addresses that make a nuisance of themselves. Since I started using it, I saw hacking attempts drop from thousands do a couple dozen tries.

Still it annoys me.

I could probably customize fail2ban further and get rid of even more annoyances, but at this point, I decided to do my own custom solution so that it would do exactly what want for my system in exactly the way I like.

Toward that end, I created a script that runs all the time I called scan_for_evil_ip.bash which looks for things in my webserver log that are indicators of an attempt to access something might be exploitable. I don't care that I'm not exploitable in that way, I do care that I see it all the time in my logs and I do care that I might miss something that they would later find.

The script scan_for_evil_ip.bash has a list of entries I store in a text file called bad_words which it looks for in my webserver logs. If it finds somebody trying to access one of those entries, it adds them to a permanent ban list file and blocks them if they weren't already blocked.

I also run a script I call scan_ssh_for_brutes.bash which examines the ssh logs. I haven't trusted it to run all the time yet, but probably soon will. It has a couple IPs that I know should never be blocked but if it finds any other attempts to use names to login which don't exist on my system, then it blocks that IP and adds the IP to the permanent ban list file.


Disclaimer:
The software, examples and descriptions are free to use to the best of my knowledge, but that doesn't mean you really can or should. Any attempt to use any of these examples is done at your own risk and you accept that risk as being yours alone if you should try. As much as I try to make my examples safe to use, they might still cause serious problems and you acknowledge and accept all such risk with no expectation that I'll fix anything if something goes wrong, no matter how horribly. If it turns out that you didn't have the right to do it, or I didn't have the rights to offer it or something else goes wrong, you acknowledge that is your problem and not mine and agree not to hold me responsible.
ċ
scan_for_evil_ip.bash.txt
(1k)
Boyce Crownover,
Mar 7, 2012, 8:09 PM
ċ
scan_ssh_for_brutes.bash.txt
(1k)
Boyce Crownover,
Mar 7, 2012, 8:09 PM
Comments