Monday, October 13, 2014

Block IP Addresses Using iptables

This post describes the steps to block the IP address that is the origin of a brute-force attack against a WordPress blog.

WARNING!

Make sure you DO NOT block your own IP addresses, or apply and global rules which would block the SSH port (port 22).

Identify IP Addresses to Block (Blog Server)

Tail the blog server apache logs:

sudo tail -f /var/log/httpd/access_log

199.188.70.163 - - [12/Oct/2014:16:29:03 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
37.59.125.22 - - [12/Oct/2014:16:29:03 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
199.188.70.163 - - [12/Oct/2014:16:29:04 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
37.59.125.22 - - [12/Oct/2014:16:29:05 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"
37.59.125.22 - - [12/Oct/2014:16:29:05 +0000] "POST /wp-login.php HTTP/1.0" 200 4432 "-" "-"

This shows two ip addresses, 199.188.70.163 and 37.59.125.22 attempting to brute-force the blog's Word Press login page:

It is worth checking the Apache error log:

sudo tail -f  /var/log/httpd/access_log

Blocking IP Addresses Using iptables

List existing iptables rules:

# List iptables rules
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

The output of the -S switch can be used to re-create the given rule from the command line or a rule script. To block a single IP addresses 199.188.70.163 and 37.59.125.22 do the following:

sudo iptables -A INPUT -s 199.188.70.163 -j DROP
sudo iptables -A INPUT -s 37.59.125.22 -j DROP

Listing the iptables rules once more should show the DROP rules that were added in the previous step:

# List iptables rules
sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 199.188.70.163 -j DROP
-A INPUT -s 37.59.125.22 -j DROP

The two rules that were added have not taken effect yet. To save them do the following:

# Save the iptables rules
sudo /etc/init.d/iptables save

NOTE: The /sbin/service command is available on the blog server, so you can use that to save iptables rules:

sudo /sbin/service iptables save
The service command runs /etc/init.d/ scripts without passing on environment variables defined by the user.

When successfully saved, it should display a message such as:

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

Removing iptables Rules

List iptables Rules:

sudo iptables -S

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 199.188.70.0/24 -j DROP
-A INPUT -s 37.59.125.0/24 -j DROP

The following lists the form in a more readable form:

# List rules with line number in verbose mode
sudo iptables -L -n -v --line-numbers

In the following output the "num" column represents the line number within each Chain (INPUT, FORWARD, and OUTPUT). This number will be will be used to remove the rules.

Chain INPUT (policy ACCEPT 31267 packets, 2159K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      206 12472 DROP       all  --  *      *       199.188.70.0/24      0.0.0.0/0
2      313 20047 DROP       all  --  *      *       37.59.125.0/24       0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 14419 packets, 75M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Look at the number on the left in the "num" column, then use number to delete the rule. For example delete line number 2 (subnet 37.59.125.0/24), enter:

sudo iptables -D INPUT 2

This will not take effect until it the rule is saved:

# Save the iptables rules
sudo /etc/init.d/iptables save

Identify Other IP Addresses Performing Similar Attacks

Use the following command to identify IP addresses making large number of login attempts the WordPress blog:

# IP addresses making POST request to the WordPress login page
grep wp-login /var/log/httpd/access_log | grep POST | awk '{print $1}'| sort | uniq -c | sort -nr

  20154 199.188.70.163
  14105 194.65.224.242
   3732 37.59.125.22
     40 37.1.222.114
     25 192.187.99.194

Make sure that you EXCLUDE remove your own IP addresses and other legitimate IP addresses from the above list before blocking them. In this case we should probably block the first three ( 20154 199.188.70.163, 194.65.224.242, and 37.59.125.22) and not the last two (37.1.222.114 and 192.187.99.194).

You may want to use an IP address lookup tool such as MaxMind GeoIP Lookup to see where the IP address is located:

Finding Your Public IP Address on the Command Line

The following is a Bash command that can be used to quickly find the public IP address your internet service provider (ISP) has given you. This is not the same as the IP address seen by your broadband router, which is usually an private IP address within the ISPs network, or the IP address given to your computer, which is a private IP address issued by my home router.

This command simply makes a "what is my ip" query to Google, which in turn displays the IP address it sees the request originating from. The awk command parses the IP address from the rest of the HTML and prints it to the command line.

curl -s 'https://www.google.com/search?q=what+is+my+ip' | awk 'match($0, /\(Client.*: (.*)\)/){print substr($0, RSTART, RLENGTH)}'

(Client IP address: 50.x.x.x)
Posted by at
Labels: , , ,
Location: San Francisco, CA, USA