NSLU2-Linux
view · edit · print · history

HowTo.SetupIPBlockingOnVSFTPD History

Hide minor edits - Show changes to markup

June 11, 2008, at 02:49 PM by SDM485 --
Changed lines 70-77 from:

Please edit this as needed. It is just a start.

to:
June 11, 2008, at 02:49 PM by SDM485 --
Changed lines 58-59 from:

So, paste the text above into a text file in /etc named 'banip.prl' and chmod it so it is executable 'chmod 777 /etc/banip.prl'. You should be able to run it and see if perl and iptables are installed and in the expected places.

to:

So, paste the text above into a text file in /etc named 'banip.prl' and chmod it so it is executable 'chmod 777 /etc/banip.prl'. You should be able to run it and see if perl and iptables are installed and in the expected places. Be prepared to fix up the formatting so it looks like above and make sure that there are no leading blank lines.

June 11, 2008, at 02:47 PM by SDM485 --
Deleted lines 63-64:

I had a pretty small vsftpd.log file (I had deleted the previous one) so I am not sure if the script can deal with a huge one but I bet it can.

June 11, 2008, at 02:46 PM by SDM485 --
Changed lines 62-63 from:

I did a 'touch /var/banned.log' to make sure that the file actually existed. The file must exist for the routine to work properly. It will indicate the error.

to:

I did a 'touch /var/log/banned.log' to make sure that the file actually existed. The file must exist for the routine to work properly. It will indicate the error.

June 11, 2008, at 02:45 PM by SDM485 --
Changed lines 60-61 from:

Now, if things are ok so far, add an entry to crontab so that it runs every 2 minutes 'crontab -e' and the entry looks like '2 * * * * /etc/banip.prl'. Note that crontab launches 'vi' for a text editor so use 'i' to insert text, press ESC when you are done inserting text and enter ':w" to write it and ':q: to exit.

to:

Now, if things are ok so far, add an entry to crontab so that it runs every 2 minutes 'crontab -e' and the entry looks like '2 * * * * /etc/banip.prl'. Note that crontab launches 'vi' for a text editor so use 'i' to insert text, press ESC when you are done inserting text and enter ':w" to write it and ':q' to exit.

June 11, 2008, at 02:44 PM by SDM485 --
Changed lines 7-8 from:

To do this, you need perl, iptables and cron. So use ipkg the install them. Make sure that the iptables kernel modules are inserted. Run 'depmod -a' to update the module dependency lists and then run 'modprobe iptable_filter' which should also insert ip_tables. Run 'lsmod' to make sure they show up.

to:

To do this, you need perl, iptables and cron. So use ipkg to install them. Make sure that the iptables kernel modules are inserted. Run 'depmod -a' to update the module dependency lists and then run 'modprobe iptable_filter' which should also insert ip_tables. Run 'lsmod' to make sure they show up.

June 11, 2008, at 02:43 PM by SDM485 --
Changed lines 3-10 from:

This is based upon a perl script originally written by 'destuxor' at:

http://forums.gentoo.org/viewtopic-p-3282899.html

and edited by 'TauRush?' in the same forum. The script runs periodically via cron and examines the vsftpd.log file for multiple failed login attempts. It then tells iptables to block the IP address and logs it to banned.log.

My poor slug gets pounded on constantly by 'script kiddies' and the log files get very large and the whole thing is a bit offensive...:) So to defend poor 'Linky', I have finally installed a system to block those IPs?.

to:

My poor slug gets pounded on constantly by 'script kiddies' and the log files get very large and the whole thing is a bit offensive...:) So to defend poor 'Linky', I have finally installed this system to block those IPs?.

This is based upon a perl script originally written by 'destuxor' at: http://forums.gentoo.org/viewtopic-p-3282899.html and edited by 'TauRush?' in the same forum. The script runs periodically via cron and examines the vsftpd.log file for multiple failed login attempts. It then tells iptables to block the IP address and logs it to banned.log.

June 11, 2008, at 02:41 PM by SDM485 -- added depmod -a
Changed lines 11-12 from:

To do this, you need perl, iptables and cron. So use ipkg the install them. Make sure that the iptables kernel modules are inserted. I had to use 'insmod' because I haven't figured out how to get 'modprobe' to see them and do it automagically. Here is the perl script:

to:

To do this, you need perl, iptables and cron. So use ipkg the install them. Make sure that the iptables kernel modules are inserted. Run 'depmod -a' to update the module dependency lists and then run 'modprobe iptable_filter' which should also insert ip_tables. Run 'lsmod' to make sure they show up.

Changed lines 66-67 from:

I did a 'touch /var/banned.log' to make sure that the file actually existed; not sure if it is needed.

to:

I did a 'touch /var/banned.log' to make sure that the file actually existed. The file must exist for the routine to work properly. It will indicate the error.

Changed lines 70-73 from:

Now, if everything is working and the iptables kernel modules are actually inserted, the vsftpd.log table will be examined every 2 minutes and any IP addresses that failed more than 5 times will be banned and reported in the banned.log and your faithful slug will get some rest.

Note that this is how it worked out for Openslug-2.7-beta and the locations may be a bit different so just run the script and fix the errors, if any. You can watch the contents on banned.log and vsftpd.log to see if it is working.

to:

Now, if everything is working and the iptables kernel modules are actually inserted, the vsftpd.log table will be examined every 2 minutes and any IP addresses that fail more than 5 times will be banned and reported in the banned.log and your faithful slug will get some rest.

Note that this is how it worked out for Openslug-2.7-beta and the locations may be a bit different so just run the script and fix the errors, if any. Also, remember that the /etc directory is not in the PATH so you will have to use the full path and name to run the script from there. You could put it in usr/local/bin and avoid that problem. You can watch the contents on banned.log and vsftpd.log to see if it is working.

June 11, 2008, at 04:43 AM by SDM485 --
Added lines 74-75:

Many thanks to the people who have developed the script.

June 11, 2008, at 04:42 AM by SDM485 --
Changed lines 9-10 from:

My poor slug gets pounded on constantly by 'script kiddies' and the log files get very large and the whole thing is a bit offensive...:) So to defend the poor thing, I have finally installed a system to block those IPs? that assault poor 'Linky'.

to:

My poor slug gets pounded on constantly by 'script kiddies' and the log files get very large and the whole thing is a bit offensive...:) So to defend poor 'Linky', I have finally installed a system to block those IPs?.

Changed lines 62-63 from:

So, paste the text above into a text file named 'banip.prl' and chmod it so it is executable 'chmod 777 /etc/banip.prl'. You should be able to run it and see if perl and iptables are installed and in the expected places.

to:

So, paste the text above into a text file in /etc named 'banip.prl' and chmod it so it is executable 'chmod 777 /etc/banip.prl'. You should be able to run it and see if perl and iptables are installed and in the expected places.

Changed lines 66-67 from:

I did a 'touch /var/banned.log' to make sure that file actually existed. Not sure if it is needed.

to:

I did a 'touch /var/banned.log' to make sure that the file actually existed; not sure if it is needed.

Changed lines 72-73 from:

Note that this is how it worked out for Openslug-2.7-beta and the locations may be a bit different so just run the script and fix the errors, if any.

to:

Note that this is how it worked out for Openslug-2.7-beta and the locations may be a bit different so just run the script and fix the errors, if any. You can watch the contents on banned.log and vsftpd.log to see if it is working.

June 11, 2008, at 04:38 AM by SDM485 --
Changed lines 62-63 from:

So, paste the text above into a text file and chmod it so it is executable 'chmod 777 filename_you_choose'. You should be able to run it and see if perl and iptables are installed and in the expected places.

to:

So, paste the text above into a text file named 'banip.prl' and chmod it so it is executable 'chmod 777 /etc/banip.prl'. You should be able to run it and see if perl and iptables are installed and in the expected places.

Changed lines 72-79 from:

Please edit this as needed. It is just a start

to:

Note that this is how it worked out for Openslug-2.7-beta and the locations may be a bit different so just run the script and fix the errors, if any.

Please edit this as needed. It is just a start.

June 11, 2008, at 04:32 AM by SDM485 --
Deleted lines 61-62:
 I put it in the /etc directory and named it 'banip.prl' but call it whatever you wish and put it somewhere else if you wish.
June 11, 2008, at 04:31 AM by SDM485 --
June 11, 2008, at 04:30 AM by SDM485 --
Changed lines 11-12 from:

To do this, you need perl, iptables and cron. So use ipkg the install them. Make sure that the iptables kernel modules are inserted. I had to use 'insmod' because I haven't figured out how to get 'modprobe' to see them and do it automagically. Here is the perl script. I put it in the /etc directory and named it 'banip.prl' but call it whatever you wish and put it somewhere else if you wish.

to:

To do this, you need perl, iptables and cron. So use ipkg the install them. Make sure that the iptables kernel modules are inserted. I had to use 'insmod' because I haven't figured out how to get 'modprobe' to see them and do it automagically. Here is the perl script:

Added lines 62-63:
 I put it in the /etc directory and named it 'banip.prl' but call it whatever you wish and put it somewhere else if you wish.
June 11, 2008, at 04:29 AM by SDM485 --
Changed lines 13-17 from:

@

  1. !/usr/bin/perl -w
  2. destuxor (wjholden@gmail.com) - 4/26/2006
to:

[@

  1. !/usr/bin/perl -w
  2. destuxor (wjholden@gmail.com) - 4/26/2006
Deleted line 16:
Deleted line 17:
Deleted line 19:
Deleted line 20:
Changed lines 60-61 from:

@

to:

@]

June 11, 2008, at 04:28 AM by SDM485 --
Changed line 13 from:

[=

to:

@

Changed lines 66-68 from:

=]

to:

@

June 11, 2008, at 04:27 AM by SDM485 --
Changed lines 14-18 from:
  1. !/usr/bin/perl -w \\
  2. destuxor (wjholden@gmail.com) - 4/26/2006\\
  3. TauRush? (snakesandarrows@gmail.com) - 3/17/2007\\
  4. A simple script to go through a VSFTPD log and block people who have\\
  5. unsuccessfully attempted to log in.\\
to:
  1. !/usr/bin/perl -w
  2. destuxor (wjholden@gmail.com) - 4/26/2006
  3. TauRush? (snakesandarrows@gmail.com) - 3/17/2007
  4. A simple script to go through a VSFTPD log and block people who have
  5. unsuccessfully attempted to log in.
Changed lines 24-26 from:
  1. configuration options:\\
to:
  1. configuration options:
June 11, 2008, at 04:26 AM by SDM485 --
Changed lines 14-18 from:
  1. !/usr/bin/perl -w
  2. destuxor (wjholden@gmail.com) - 4/26/2006
  3. TauRush? (snakesandarrows@gmail.com) - 3/17/2007
  4. A simple script to go through a VSFTPD log and block people who have
  5. unsuccessfully attempted to log in.
to:
  1. !/usr/bin/perl -w \\
  2. destuxor (wjholden@gmail.com) - 4/26/2006\\
  3. TauRush? (snakesandarrows@gmail.com) - 3/17/2007\\
  4. A simple script to go through a VSFTPD log and block people who have\\
  5. unsuccessfully attempted to log in.\\
Changed line 20 from:
  1. configuration options:
to:
  1. configuration options:\\
June 11, 2008, at 04:25 AM by SDM485 --
Changed line 12 from:

<<<<<<<

to:
Deleted lines 13-16:

======= =

>>>>>>>

Changed line 60 from:

<<<<<<<

to:
Changed lines 62-65 from:

======= = >>>>>>>

to:
June 11, 2008, at 04:24 AM by SDM485 --
Added lines 12-14:

<<<<<<< [= =======

Added line 17:

>>>>>>>

Added lines 64-66:

<<<<<<< =] =======

Changed lines 68-69 from:
to:

>>>>>>>

June 11, 2008, at 04:23 AM by SDM485 --
Changed lines 12-13 from:
to:

=

Changed lines 60-61 from:
to:

=

June 11, 2008, at 04:16 AM by SDM485 -- The details of setting it up.
Added lines 1-77:

How To Setup Automatic Blocking of IPs? Pounding on VSFTPD

This is based upon a perl script originally written by 'destuxor' at:

http://forums.gentoo.org/viewtopic-p-3282899.html

and edited by 'TauRush?' in the same forum. The script runs periodically via cron and examines the vsftpd.log file for multiple failed login attempts. It then tells iptables to block the IP address and logs it to banned.log.

My poor slug gets pounded on constantly by 'script kiddies' and the log files get very large and the whole thing is a bit offensive...:) So to defend the poor thing, I have finally installed a system to block those IPs? that assault poor 'Linky'.

To do this, you need perl, iptables and cron. So use ipkg the install them. Make sure that the iptables kernel modules are inserted. I had to use 'insmod' because I haven't figured out how to get 'modprobe' to see them and do it automagically. Here is the perl script. I put it in the /etc directory and named it 'banip.prl' but call it whatever you wish and put it somewhere else if you wish.

  1. !/usr/bin/perl -w
  2. destuxor (wjholden@gmail.com) - 4/26/2006
  3. TauRush? (snakesandarrows@gmail.com) - 3/17/2007
  4. A simple script to go through a VSFTPD log and block people who have
  5. unsuccessfully attempted to log in.
  6. configuration options:

$logfilename = '/var/log/vsftpd.log'; # location of your logfile. $allow_exceptions = 1; # if you wish to specify a file to put exceptions into,

                       # say 1 here, otherwise put 0.                               

$exception_file = '/var/log/banned.log'; # if you said 1 above, put your filename h ere. $max_failures = 5; # maximum number of failures someone can have before

                      # getting blocked.                                            
  1. end of configuration options

$command = 'grep \'FAIL LOGIN\' '.$logfilename.' | sed -r \'s/^.{0,}Client .//\' | s ed -r \'s/\"//\' | uniq -c';

@connected_ips = `$command`;

undef %noblock; if ($allow_exceptions == 1) {

  open (FH, $exception_file) or die "$!\n";                                         
  @exceptions = <FH>;                                                               
  close (FH);                                                                       

}

foreach $ip (@exceptions) {

  1. Added by TauRush? to chop LF character chop ($ip); $noblock{"$ip"} = 1;

}

foreach $host (@connected_ips) {

  @info = split(/\s+/, $host);                                                      
  if (($info[1] > $max_failures) and !$noblock{$info[2]}) {                         
      system("/usr/sbin/iptables -I INPUT 1 -s $info[2] -j DROP");                  
  1. 3 lines added by TauRush? to create banned.log file
      open FILE,">>$exception_file" or die "Unable to open file!\n";                
      print FILE "$info[2]\n";                                                      
 close FILE;                                                                        
     }                                                                              

}

So, paste the text above into a text file and chmod it so it is executable 'chmod 777 filename_you_choose'. You should be able to run it and see if perl and iptables are installed and in the expected places.

Now, if things are ok so far, add an entry to crontab so that it runs every 2 minutes 'crontab -e' and the entry looks like '2 * * * * /etc/banip.prl'. Note that crontab launches 'vi' for a text editor so use 'i' to insert text, press ESC when you are done inserting text and enter ':w" to write it and ':q: to exit.

I did a 'touch /var/banned.log' to make sure that file actually existed. Not sure if it is needed.

I had a pretty small vsftpd.log file (I had deleted the previous one) so I am not sure if the script can deal with a huge one but I bet it can.

Now, if everything is working and the iptables kernel modules are actually inserted, the vsftpd.log table will be examined every 2 minutes and any IP addresses that failed more than 5 times will be banned and reported in the banned.log and your faithful slug will get some rest.

Please edit this as needed. It is just a start

view · edit · print · history · Last edited by SDM485.
Originally by SDM485.
Page last modified on June 11, 2008, at 02:49 PM