nohack script

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri May 28, 2010 10:40    Post subject: nohack script Reply with quote
Because I got a bit fed up of all those bots and hackers I created this script.

You need to have OTRW (I didn't invent this acronym) installed and have asiablock and pound active.

At startup it will put itself in /tmp/cron.d as a 20-minute cronjob. It will then inspect the last 20 full minutes of /var/log/messages for pound entries. If it finds an entry with a keyword which is in the file /opt/etc/hackers the IP is extracted and will be added to /opt/etc/asia.spam.

This /opt/etc/asia.spam is already handled by "asiablock". You may need to start asiablock.

Code:
[ -e /opt/etc/hackers ] || wget -qO /opt/etc/hackers http://wd.mirmana.com/hackers
wget -O /opt/etc/init.d/S98stophack        http://wd.mirmana.com/S98stophack
wget -O /opt/usr/sbin/lastmins http://wd.mirmana.com/lastmins


Only after I finished and tested this script I realized I'm not blocking my webserver with asiablock....
I think I'm gonna create a chinablock for my web...

edit: changed OTR to OTRW (hahahaha)

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)


Last edited by frater on Fri May 28, 2010 17:31; edited 3 times in total
Sponsor
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri May 28, 2010 16:41    Post subject: Reply with quote
I want to post my rc_firewall to illustrate the use of this little tool. I'm using several services on my poor little consumer DSL line and I'm getting hammered as hell by a lot of Internet villains. I own 2 domains and the one less familiar to you is getting spammed and the other one is a prey for hackers who want to get into my webserver. Then there's a bunch of villains who want to use my Asterisk server to make free calls and harass companies.

INPUT
SIP = UDP 5060 handled on router (asterisk)
HTTP = TCP 80 which is translated to 8080 on router (pound)
HTTPS = 443,446 which is transtlated to 4443,4446 on router (pound)

FORWARD
SMTP = TCP 25 which is being translated to port 225 on my Ubuntu running ASSP (Anti Spam Proxy)
FTP = TCP 20,21 and several other ports, translated to several FTP-servers
SSH = undisclosed TCP ports.... translated to TCP 22

I have 3 blocklists.

asiablock = blocking South-East Asis
chinablock = blocking China
worldblock = blocking everyone but the Netherlands.

SIP, FTP and SSH will only be accessible from the Netherlands
SMTP is blocked for South East Asia
HTTP and HTTPS is blocked for China and some IP's that are trying to hack it.

This is my rc_firewall
Code:
wanf=`nvram get wan_iface`
iptables -I FORWARD 1 -i $wanf -p tcp --dport 20:23 -j world
iptables -I FORWARD 1 -i $wanf -p tcp --dport 225 -j asia
iptables -I INPUT 2 -i $wanf -p udp --dport 12000:13000 -j ACCEPT
iptables -I INPUT 2 -i $wanf -p tcp --dport 8080 -j ACCEPT
iptables -I INPUT 2 -i $wanf -p tcp --dport 4443:4446 -j ACCEPT
iptables -I INPUT 2 -i $wanf -p udp --dport 5060 -j world
iptables -I INPUT 2 -i $wanf -p tcp --dport 4443:8080 -j china


IP's that are found with S98stophack are added to both /opt/etc/asia.spam and /opt/etc/china.spam
They will get blocked and are not able to access those protected services.

Code:
wget -O /opt/etc/init.d/S95chinablock http://wd.mirmana.com/S95chinablock


Code:
# service stophack
stophack is active
"stophack" has found new IP's, you should restart asiablock


When stophack has found IP's after the asiablock has built its blockfile you will get this message. A restart of asiablock or router will block these new IP's.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)


Last edited by frater on Fri May 28, 2010 22:11; edited 1 time in total
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Fri May 28, 2010 17:12    Post subject: Re: nohack script Reply with quote
frater wrote:
Because I got a bit fed up of all those bots and hackers I created this script.

You need to have OTR (I didn't invent this acronym) installed and have asiablock and pound active.

I think you forgot a 'W' > "Optware The Right Way" should be OTRW. But I digress ... What is the intent of this new script? Other than to detect "bots" and "hackers", what (or how) does it do to stop those people from causing problems?

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri May 28, 2010 17:30    Post subject: Reply with quote
I'm seeing distressing things in several of my logs (apache and lighttpd). I'm also running several other webservers that don't even have logs.

All webtraffic is passing pound and that service is writing messages to my /var/log/messages. I'm using that output to detect hackers and bots. It uses keywords like '+http', 'robots.txt', 'crawler' and 'wordpress'. These keywords are in a file /opt/etc/hackers.

It runs every 20 minutes and then checks the last 20 minutes of /var/log/messages for pound messages. If it encounters a line with that keyword it will extract the IP and add it /opt/etc/asia.spam and /opt/etc/china.spam. That file is already used by my asiablock to manually add some subnets.

BTW.. there's an /opt/etc/asia.ham as well where you can whitelist subnets.

If you have more questions please ask them.

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Fri May 28, 2010 20:26    Post subject: Reply with quote
frater wrote:
All webtraffic is passing pound and that service is writing messages to my /var/log/messages. I'm using that output to detect hackers and bots. It uses keywords like '+http', 'robots.txt', 'crawler' and 'wordpress'. These keywords are in a file /opt/etc/hackers.

This is more specifically what I am interested in. I have an 'idea' of what pound does, I am just curious as to what the script looks for. Mainly because I possibly interested in a port over to a "normal" linux box I have that runs apache. I essentially would like better ways to "lock" it down, and at least *try* to thwart those would be hackers from even reaching the web server.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777

PostPosted: Fri May 28, 2010 22:18    Post subject: Reply with quote
crashfly wrote:
This is more specifically what I am interested in. I have an 'idea' of what pound does, I am just curious as to what the script looks for. Mainly because I possibly interested in a port over to a "normal" linux box I have that runs apache. I essentially would like better ways to "lock" it down, and at least *try* to thwart those would be hackers from even reaching the web server.

It looks for URL's I'm not running on my domain. Hackers are interested in webshops, phpmyadmin and wordpress. I'm also looking for special headers.

Well, that's exactly what I'm doing now.... Laughing

Pound is a great tool. I wish I could make it more accessible for the average user.

Here are the logentries my script made thus far:
cat /opt/var/log/messages | grep stophack | grep -v Start
Code:
May 28 14:57:40 WAN optware.info stophack: Added /opt/etc/init.d/S98stophack as cronjob
May 28 16:00:02 WAN optware.info stophack: May 28 15:54:42 WAN daemon.info pound: 66.249.66.10 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.066 sec
May 28 16:00:02 WAN optware.info stophack: Add 66.249.66.10 to /opt/etc/asia.spam
May 28 16:00:02 WAN optware.info stophack: Add 66.249.66.10 to /opt/etc/china.spam
May 28 16:20:02 WAN optware.info stophack: May 28 16:19:28 WAN daemon.info pound: 66.249.68.237 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.587 sec
May 28 16:20:02 WAN optware.info stophack: Add 66.249.68.237 to /opt/etc/asia.spam
May 28 16:20:02 WAN optware.info stophack: Add 66.249.68.237 to /opt/etc/china.spam
May 28 19:00:01 WAN optware.info stophack: May 28 18:55:09 WAN daemon.info pound: 67.218.116.162 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (www.hetemail.com/NoBots -> 192.168.10.5:80) 0.009 sec
May 28 19:00:01 WAN optware.info stophack: Add 67.218.116.162 to /opt/etc/asia.spam
May 28 19:00:01 WAN optware.info stophack: Add 67.218.116.162 to /opt/etc/china.spam
May 28 20:20:02 WAN optware.info stophack: May 28 20:07:04 WAN daemon.info pound: 93.158.145.28 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.611 sec
May 28 20:20:02 WAN optware.info stophack: Add 93.158.145.28 to /opt/etc/asia.spam
May 28 20:20:02 WAN optware.info stophack: Add 93.158.145.28 to /opt/etc/china.spam
May 28 22:40:01 WAN optware.info stophack: May 28 22:25:30 WAN daemon.info pound: 119.63.198.28 GET /robots.txt HTTP/1.1 - HTTP/1.1 200 OK (wd.mirmana.com/wd.mirmana.com -> 192.168.10.210:80) 0.074 sec
May 28 22:40:01 WAN optware.info stophack: Add 119.63.198.28 to /opt/etc/asia.spam
May 28 22:40:01 WAN optware.info stophack: Add 119.63.198.28 to /opt/etc/china.spam

_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
pigge
DD-WRT Novice


Joined: 07 Nov 2006
Posts: 36
Location: Stockholm

PostPosted: Tue Jun 29, 2010 23:51    Post subject: Reply with quote
i think the http://wd.mirmana.com/hackers has gone missing...

:~# wget -qO /opt/etc/hackers http://wd.mirmana.com/hackers
wget: server returned error: HTTP/1.1 404 Not Found
:~#
strfr
DD-WRT User


Joined: 21 Jan 2008
Posts: 192

PostPosted: Sun Oct 03, 2010 14:01    Post subject: @frater - simultaneous logging to wallwatcher with stophack Reply with quote
hello frater, thanks for your stophack script, I'm finding it quite useful when running my own webserver inside my LAN.
I have question - is there any way to keep logging out of the router together with logging to /opt/var/log?

The thing is I would like see logs in my wallwatcher but your script is forcing logs to be written to /opt/var/log. Would it be possible to keep logging out of the router too?

Thanks again man for sharing your knowledge!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum