Monthly Archives: October 2019

Block China on UNIX

Posted on by

There are some very good scripts to modify IP Tables that will block unwanted traffic from getting anywhere with UMass servers. Some of the most aggressive hacking attempts are coming from China. Here is an automated hacking script trying to connect to my UMass box through ssh about every two seconds. Note the fake user names (Viktor, tobyliu, Avignon-123, root). You can see the originating server’s address by checking it out in whois. Some of these attempts are proxied through digital ocean and others, one comes from Ravna Gora, Croatia (195.29.105.125).

Oct 23 16:04:20 sshd: Received disconnect from 45.55.177.230 port 53758:11: Bye Bye 
Oct 23 16:04:20 sshd: Disconnected from invalid user viktor 45.55.177.230 port 53758 
Oct 23 16:05:32 sshd: refused connect from 218.92.0.204 (218.92.0.204)
Oct 23 16:05:34 sshd: Invalid user tobyliu from 129.158.73.119 port 23191
Oct 23 16:05:34 sshd: pam_unix(sshd:auth): check pass; user unknown
Oct 23 16:05:34 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=129.158.73.119
Oct 23 16:05:36 sshd: Failed password for invalid user tobyliu from 129.158.73.119 port 23191 ssh2
Oct 23 16:05:36 sshd: Received disconnect from 129.158.73.119 port 23191:11: Bye Bye 
Oct 23 16:05:36 sshd: Disconnected from invalid user tobyliu 129.158.73.119 port 23191 
Oct 23 16:05:44 sshd: Invalid user Avignon-123 from 1.203.115.64 port 54593
Oct 23 16:05:44 sshd: pam_unix(sshd:auth): check pass; user unknown
Oct 23 16:05:44 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.203.115.64
Oct 23 16:05:47 sshd: Failed password for invalid user Avignon-123 from 1.203.115.64 port 54593 ssh2
Oct 23 16:05:51 sshd: User root from 195.29.105.125 not allowed because not listed in AllowUsers
Oct 23 16:05:51 sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=195.29.105.125 user=root
Oct 23 16:05:53 sshd: Failed password for invalid user root from 195.29.105.125 port 47984 ssh2
Oct 23 16:05:53 sshd: Received disconnect from 195.29.105.125 port 47984:11: Bye Bye 
Oct 23 16:05:53 sshd: Disconnected from invalid user root 195.29.105.125 port 47984 
Oct 23 16:06:15 sshd: refused connect from 218.92.0.204 (218.92.0.204)
Oct 23 16:06:52 sshd: refused connect from 218.92.0.204 (218.92.0.204)

Notice that some of the attempts were automatically refused. These came from addresses that I added to auth.log. To add this layer of protection, you can use a combination of python and bash scripting to add entries to the hosts.deny file. IMPORTANT: this only works on a single-user server. It assumes that all connection attempts are phony. I run this python script when I am on my linux box since I know I’m not trying to connect to it from off-site. You can make it part of your daily or hourly cron daemons. It takes the last 30 lines of auth.log, parses it for IP addresses, reformats them, then adds them to hosts.deny.

#! /usr/bin/env python3

import subprocess
import os
import re

result = subprocess.run(['tail', '-n 30', '/var/log/auth.log'], stdout=subprocess.PIPE)
str_result = result.stdout.decode('utf-8')

auth_parts = str_result.split(" ")
chinaips = []

for thisone in auth_parts:
    if re.match(r"(\d\d\d\.)", thisone):
        print("Found one: ", thisone)
         chinaips.append(thisone)

chinaips = list(set(chinaips))
print(chinaips)

# overwrite existing ips
os.system('echo "" > chinaips.txt')

with open("chinaips.txt", "a") as fh:
    ipstowrite = ["ALL:"+chinaips[i]+"\n" for i in range(0, len(chinaips))]
    ipstowrite_str = ''.join(ipstowrite)
    fh.write(ipstowrite_str)
    fh.close()

# append these ips to etc/hosts.deny
os.system('cat chinaips.txt | sudo tee -a /etc/hosts.deny')