Posted: Fri May 28, 2010 10:40 Post subject: nohack script
Because I got a bit fed up of all those bots and hackers I created this script.
You need to have OTRW (I didn't invent this acronym) installed and have asiablock and pound active.
At startup it will put itself in /tmp/cron.d as a 20-minute cronjob. It will then inspect the last 20 full minutes of /var/log/messages for pound entries. If it finds an entry with a keyword which is in the file /opt/etc/hackers the IP is extracted and will be added to /opt/etc/asia.spam.
This /opt/etc/asia.spam is already handled by "asiablock". You may need to start asiablock.
Only after I finished and tested this script I realized I'm not blocking my webserver with asiablock....
I think I'm gonna create a chinablock for my web...
edit: changed OTR to OTRW (hahahaha) _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
I want to post my rc_firewall to illustrate the use of this little tool. I'm using several services on my poor little consumer DSL line and I'm getting hammered as hell by a lot of Internet villains. I own 2 domains and the one less familiar to you is getting spammed and the other one is a prey for hackers who want to get into my webserver. Then there's a bunch of villains who want to use my Asterisk server to make free calls and harass companies.
INPUT
SIP = UDP 5060 handled on router (asterisk)
HTTP = TCP 80 which is translated to 8080 on router (pound)
HTTPS = 443,446 which is transtlated to 4443,4446 on router (pound)
FORWARD
SMTP = TCP 25 which is being translated to port 225 on my Ubuntu running ASSP (Anti Spam Proxy)
FTP = TCP 20,21 and several other ports, translated to several FTP-servers
SSH = undisclosed TCP ports.... translated to TCP 22
I have 3 blocklists.
asiablock = blocking South-East Asis
chinablock = blocking China
worldblock = blocking everyone but the Netherlands.
SIP, FTP and SSH will only be accessible from the Netherlands
SMTP is blocked for South East Asia
HTTP and HTTPS is blocked for China and some IP's that are trying to hack it.
IP's that are found with S98stophack are added to both /opt/etc/asia.spam and /opt/etc/china.spam
They will get blocked and are not able to access those protected services.
# service stophack
stophack is active
"stophack" has found new IP's, you should restart asiablock
When stophack has found IP's after the asiablock has built its blockfile you will get this message. A restart of asiablock or router will block these new IP's. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Fri May 28, 2010 17:12 Post subject: Re: nohack script
frater wrote:
Because I got a bit fed up of all those bots and hackers I created this script.
You need to have OTR (I didn't invent this acronym) installed and have asiablock and pound active.
I think you forgot a 'W' > "Optware The Right Way" should be OTRW. But I digress ... What is the intent of this new script? Other than to detect "bots" and "hackers", what (or how) does it do to stop those people from causing problems? _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
I'm seeing distressing things in several of my logs (apache and lighttpd). I'm also running several other webservers that don't even have logs.
All webtraffic is passing pound and that service is writing messages to my /var/log/messages. I'm using that output to detect hackers and bots. It uses keywords like '+http', 'robots.txt', 'crawler' and 'wordpress'. These keywords are in a file /opt/etc/hackers.
It runs every 20 minutes and then checks the last 20 minutes of /var/log/messages for pound messages. If it encounters a line with that keyword it will extract the IP and add it /opt/etc/asia.spam and /opt/etc/china.spam. That file is already used by my asiablock to manually add some subnets.
BTW.. there's an /opt/etc/asia.ham as well where you can whitelist subnets.
If you have more questions please ask them. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Fri May 28, 2010 20:26 Post subject:
frater wrote:
All webtraffic is passing pound and that service is writing messages to my /var/log/messages. I'm using that output to detect hackers and bots. It uses keywords like '+http', 'robots.txt', 'crawler' and 'wordpress'. These keywords are in a file /opt/etc/hackers.
This is more specifically what I am interested in. I have an 'idea' of what pound does, I am just curious as to what the script looks for. Mainly because I possibly interested in a port over to a "normal" linux box I have that runs apache. I essentially would like better ways to "lock" it down, and at least *try* to thwart those would be hackers from even reaching the web server. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
This is more specifically what I am interested in. I have an 'idea' of what pound does, I am just curious as to what the script looks for. Mainly because I possibly interested in a port over to a "normal" linux box I have that runs apache. I essentially would like better ways to "lock" it down, and at least *try* to thwart those would be hackers from even reaching the web server.
It looks for URL's I'm not running on my domain. Hackers are interested in webshops, phpmyadmin and wordpress. I'm also looking for special headers.
Well, that's exactly what I'm doing now....
Pound is a great tool. I wish I could make it more accessible for the average user.
Here are the logentries my script made thus far:
cat /opt/var/log/messages | grep stophack | grep -v Start
Code:
May 28 14:57:40 WAN optware.info stophack: Added /opt/etc/init.d/S98stophack as cronjob
May 28 16:00:02 WAN optware.info stophack: May 28 15:54:42 WAN daemon.info pound: 66.249.66.10 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.066 sec
May 28 16:00:02 WAN optware.info stophack: Add 66.249.66.10 to /opt/etc/asia.spam
May 28 16:00:02 WAN optware.info stophack: Add 66.249.66.10 to /opt/etc/china.spam
May 28 16:20:02 WAN optware.info stophack: May 28 16:19:28 WAN daemon.info pound: 66.249.68.237 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.587 sec
May 28 16:20:02 WAN optware.info stophack: Add 66.249.68.237 to /opt/etc/asia.spam
May 28 16:20:02 WAN optware.info stophack: Add 66.249.68.237 to /opt/etc/china.spam
May 28 19:00:01 WAN optware.info stophack: May 28 18:55:09 WAN daemon.info pound: 67.218.116.162 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (www.hetemail.com/NoBots -> 192.168.10.5:80) 0.009 sec
May 28 19:00:01 WAN optware.info stophack: Add 67.218.116.162 to /opt/etc/asia.spam
May 28 19:00:01 WAN optware.info stophack: Add 67.218.116.162 to /opt/etc/china.spam
May 28 20:20:02 WAN optware.info stophack: May 28 20:07:04 WAN daemon.info pound: 93.158.145.28 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.611 sec
May 28 20:20:02 WAN optware.info stophack: Add 93.158.145.28 to /opt/etc/asia.spam
May 28 20:20:02 WAN optware.info stophack: Add 93.158.145.28 to /opt/etc/china.spam
May 28 22:40:01 WAN optware.info stophack: May 28 22:25:30 WAN daemon.info pound: 119.63.198.28 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.074 sec
May 28 22:40:01 WAN optware.info stophack: Add 119.63.198.28 to /opt/etc/asia.spam
May 28 22:40:01 WAN optware.info stophack: Add 119.63.198.28 to /opt/etc/china.spam
_________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Posted: Sun Oct 03, 2010 14:01 Post subject: @frater - simultaneous logging to wallwatcher with stophack
hello frater, thanks for your stophack script, I'm finding it quite useful when running my own webserver inside my LAN.
I have question - is there any way to keep logging out of the router together with logging to /opt/var/log?
The thing is I would like see logs in my wallwatcher but your script is forcing logs to be written to /opt/var/log. Would it be possible to keep logging out of the router too?
