simple prevent login attacks

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • simple prevent login attacks

      Hi all,

      in the last month, serveral freaks try to hack my server. But not with SSH, but via the EasySCP GUI.

      Maybe, there is a way to make this with fail2ban. My simple way now is sending a HTML-Header 404 or bounce them back to origin, if a known IP tries it to often.
      Normally this IPs came from Russia, Ukraine, Iran and so on - so, for me it makes sense to block them totally.

      Source Code

      1. $callingip =$_SERVER['REMOTE_ADDR'];
      2. $blockedip = array('5.188.62.25'); // enter here all IPs you want to block
      3. if(in_array($callingip,$blockedip)) {
      4. // If you wish to get a notice
      5. mail('enter@youremail.here','your subject',$callingip,'sender@youremail.com');
      6. // you can send back: file not found
      7. // header($_SERVER["SERVER_PROTOCOL"]." 404 Not Found");
      8. // or
      9. // bounce the request to the blocked ip itself ;-)
      10. header("Location: http://".$callingip);
      11. exit;
      12. }
      Display All
      I've placed this little bit of code into the file direct behind the main comment

      [/var/www/]easyscp/gui/htdocs/index.php

      If I will get more attacks, I think, i'll write an automatic to fill the blocked-ip-list.

      Maybe this is helpful for others.

      Greets, Kuerbis42
    • The best way is really to use Fail2Ban for it. And yes, I see this 5.188.xx.xx IP too, which probes to log in using "adminu" as user. I activated last years in my Fail2Ban a lot of rules (located everywhere in internet), so that almost all attacker are blocked (dovecot, postfix, apache incl. php errors, 403, 404, etc.), but EasySCP required a new rule, which must be written separatelly for it.
      I can post it here, if I have it ready. But give me please 2-3 weeks for it.
      MfG

      August
    • As promised, I post my solution for fail2ban here.
      The main challenge: fail2ban works with real file logs, EasySCP uses against it logging into database and send mails. Therefore a little modification of EasySCP is required for parallel logging in a log file:

      PHP Source Code: include/admin-functions.php

      1. DB::prepare($sql_query);
      2. DB::execute($sql_param)->closeCursor();
      3. // log to file using file_put_contents
      4. $filelog_msg = date("Y-m-d H:i:s ").strip_tags(str_replace('<br />', " ", $msg)).PHP_EOL;
      5. file_put_contents($_SERVER['DOCUMENT_ROOT'].'/../customlog/easyscp_custom.log', $filelog_msg, FILE_APPEND|LOCK_EX);
      6. $msg = strip_tags(str_replace('<br />', "\n", $msg));
      7. // now send email if DEFAULT_ADMIN_ADDRESS != ''
      8. if(EasyConfig::$cfg->{'DEFAULT_ADMIN_ADDRESS'} != '' && $level <= $cfg->LOG_LEVEL) {
      9. global $default_hostname, $default_base_server_ip, $Version, $BuildDate,
      10. $admin_login;
      Display All


      The logging directory and file name is fix in my solution, but it is thinkable to change it later to control these paramaters using EasySCP config file.
      This php-file and some further files can be found in the attached zip archive. But a lot of handwork is necessary for correct working of file logging. Please run following shell commands as root (or use su before it):

      Shell-Script

      1. mkdir /var/www/easyscp/gui/customlog
      2. chown vu2000:vu2000 /var/www/easyscp/gui/customlog
      3. ln -s /var/www/easyscp/gui/customlog /var/log/easyscp/customlog

      The symlink from /var/log/... to /var/www/... is matter of taste, but I like logs under /var/log and PHP can not write directly to /var/log (security reasons). All my fail2ban and logrotates adaptations work with /var/log, but not with /var/www!
      In the attached zip-file you find also the template for your jail.local of fail2ban. In the jail-file is only these one rule for easyscp custom logging. You should attach it to your jail.local. The filter-file can be completelly copyed to filter.d. Furthermore you find also an additional logrotate rule for the new log file.
      For your tests a small log with a real "adminu" attack is also in the zip file. You can test the fail2ban-regex for example using:

      Shell-Script

      1. fail2ban-regex -v /var/log/easyscp/customlog/easyscp_custom.log easyscp-customlog
      2. Running tests
      3. =============
      4. Use failregex filter file : easyscp-customlog, basedir: /etc/fail2ban
      5. Use datepattern : Year-Month-Day 24hour:Minute:Second
      6. Use log file : /var/log/easyscp/customlog/easyscp_custom.log
      7. Use encoding : UTF-8
      8. Results
      9. =======
      10. Failregex: 2 total
      11. |- #) [# of hits] regular expression
      12. | 1) [2] Login error, .* User IP: <HOST>$
      13. | 5.188.62.214 Tue Nov 10 21:01:29 2020
      14. | 5.188.62.214 Tue Nov 10 21:03:29 2020
      15. `-
      16. Ignoreregex: 13 total
      17. |- #) [# of hits] regular expression
      18. | 1) [12] changes into .* User IP: <HOST>$
      19. | 2) [1] logged in. User IP: <HOST>$
      20. `-
      21. Date template hits:
      22. |- [# of hits] date format
      23. | [15] Year-Month-Day 24hour:Minute:Second
      24. `-
      25. Lines: 15 lines, 13 ignored, 2 matched, 0 missed
      26. [processed in 0.00 sec]
      27. |- Ignored line(s):
      28. | 2020-11-10 01:10:55 admin changes into domain1.de's interface User IP: 4.33.11.222
      29. | 2020-11-10 01:23:11 admin changes into domain2.de's interface User IP: 4.33.11.222
      30. | 2020-11-10 20:57:55 admin changes into domain3.de's interface User IP: 4.33.22.111
      31. | 2020-11-10 20:58:41 domain3.de changes into admin's interface User IP: 4.33.22.111
      32. | 2020-11-10 20:59:38 admin changes into domain4.de's interface User IP: 4.33.22.111
      33. | 2020-11-10 21:00:29 domain4.de changes into admin's interface User IP: 4.33.22.111
      34. | 2020-11-10 21:02:29 domain4.de changes into admin's interface User IP: 4.33.22.111
      35. | 2020-11-10 21:04:29 domain4.de changes into admin's interface User IP: 4.33.22.111
      36. | 2020-11-10 21:41:21 admin changes into domain3.de's interface User IP: 4.33.22.111
      37. | 2020-11-10 21:49:51 domain3.de changes into admin's interface User IP: 4.33.22.111
      38. | 2020-11-10 22:24:19 admin changes into domain5.de's interface User IP: 4.33.22.111
      39. | 2020-11-10 22:24:21 domain5.de changes into admin's interface User IP: 4.33.22.111
      40. | 2020-11-10 22:24:28 admin logged in. User IP: 4.33.22.111
      41. `-
      Display All

      This solution should works in generally and is running already on my debian 10 server. But I do not have long time experience therewith and can not exclude eventually bugs. You can use it "as is" and report here.
      Files
      MfG

      August

      The post was edited 1 time, last by August ().

    • New

      yes, I corrected it now in my post above.

      And I can report about successfull protection against "adminu" from 5.188.62.xxx:

      Source Code

      1. iptables -L -n
      2. ...
      3. ...
      4. Chain f2b-easyscp-customlog (1 references)
      5. target prot opt source destination
      6. REJECT all -- 5.188.62.214 0.0.0.0/0 reject-with icmp-port-unreachable
      7. REJECT all -- 5.188.62.140 0.0.0.0/0 reject-with icmp-port-unreachable
      8. RETURN all -- 0.0.0.0/0 0.0.0.0/0
      9. ...
      10. ...
      Display All
      MfG

      August