Our server is a RHEL4 running LAMP/OScommerce. I was noticing in our logs we are constantly under attack from what looks like hackers(primarily from outside the US) trying to breakin via ftp, ssh, mysql, telnet ports and WHM/CP web interface.
I decided I should write a script to immediatly(as fast as possible) drop packets for any ip address outside the us(for starters) that try to access any any of the ports for those services mentioned above- I dont see any reason any ip address, especially outside the US, and most in the US, would have legitiame reason to hit those ports.
I am looking for suggestions on the best way to go about this. We already use a nonstandard ssh port and limit mysql/telnet,sftp to localhost and ssh-tunnel in to access those. Most other ports are locked down except http(80,443)/smtp/imap/pop/named. We have to keep ftp(insecure port 22 veriety) on for reasons i wont go into now.
So, I wrote a script that runs tcpdump with a filter to log any ip's(except my ip and hackersafe's) that attempt access to the ports no one s/b accessing. Almost all-99% of it is from outside the US. I can see the dictionary attacks for the ftp hits, and sequencing through our servers ip range for the other ports.
Questions:
1 Would it make sense to use that script mentioned above as the input to a script that adds those ip addresses to be blocked by adding to iptables? if so, any ideas on the approach or where I could find an example of this? I dont think I need to keep all those blocked ports in the list very long, just long enough so they cant keep scanning-maybe 24 hrs. Also, even though ssh/mysql, etc are localhost only, I still want to drop packets for those ip's before they start scanning ftp and email ports to do damage. Is what I am proposing make sense and a resonable approach?
2. to secure those WHM/CP web ports, accessible only to localhost(and ssh tunnels to localhost), I believe this could be done with iptable filters. is that a resonable approach or something better via cpanel ?
Thanks in advance for any advice.
Kelly
Full Version: Hacker lockout script
I don't think a script would be all that successful in properly preventing that, you'd probably be better off with a hardware firewall with custom firmware to stop it.
Did you consider portsentry?
If you have a static IP can limit ports by that. If not you could always setup a VPS.
If you have a static IP can limit ports by that. If not you could always setup a VPS.
QUOTE (dynamicnet @ Sep 29 2009, 05:23 PM) 
Thanks for the reply and tip. BFD looks like the exact solution I am after!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.