1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CSF Rule Sets for WP Pingback DDOS attacks

Discussion in 'Server Configuration and Hosting' started by Tracy Perry, Jun 12, 2016.

  1. Tracy Perry

    Tracy Perry Well-Known Member

    I found a nice list of IP's that have been shown to be involved in WP Pingback DDOS attacks. I've placed them into a ruleset along with some others that I've found making numerous attempts to log into my mail services (one of them was over 2000 attempts in a few hours).

    Since the rule set is over 7500 lines I've created an article and instructions on how to use them over at my Linux site (since I doubt that I could post that long of a post here).

    You should be able to use them even without CSF - you would just have to incorporate them into a script that runs at startup.
    The article is available at https://servinglinux.com/articles/entry/5-ipset-to-block-ip-s-via-csfpre-sh/ if anyone is interested in using them.
     
    WSWD and teletubbi like this.
  2. eva2000

    eva2000 Well-Known Member

    FYI, CSF Firewall natively supports IPSET if detected so doesn't need csfpre.sh kind of setup ;)

    For CentOS + CentminMod LEMP stacks will automatically install ipset by default if centminmod detects your linux kernel supports it. Normal CentOS non-centminmod environments usually won't install ipset unless you install it and configure ipset yourself :) So CSF Firewall will auto detect on initial install if ipset is installed/supported so no special handling is needed other than usual csf firewall deny or allow syntax for blacklisting or whitelisting which will automatically use ipset if available https://centminmod.com/csf_firewall.html

    Code:
     csf -r 2>&1 | grep IPSET      
    csf: IPSET creating set chain_DENY
    csf: IPSET creating set chain_6_DENY
    csf: FASTSTART loading csf.deny (IPSET)
    csf: IPSET creating set chain_ALLOWDYN
    csf: IPSET creating set chain_6_ALLOWDYN
    csf: IPSET creating set chain_ALLOW
    csf: IPSET creating set chain_6_ALLOW
    csf: FASTSTART loading csf.allow (IPSET)
    auto banned ip in deny file 60.214.233.147 due to lfd (login failure daemon) detecting brute force sshd attacks
    Code:
    tail -1 /etc/csf/csf.deny 
    60.214.233.147 # lfd: (sshd) Failed SSH login from 60.214.233.147 (CN/China/-): 5 in the last 3600 secs - Sun Jun 12 03:42:04 2016
    grep ip in csf firewall 60.214.233.147 shows it has been added to IPSET chain_DENY set :)
    Code:
     csf -g 60.214.233.147
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination      
    No matches found for 60.214.233.147 in iptables
    
    
    IPSET: Set:chain_DENY Match:60.214.233.147 Setting: File:/etc/csf/csf.deny
    
    
    ip6tables:
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination      
    No matches found for 60.214.233.147 in ip6tables
    
    csf.deny: 60.214.233.147 # lfd: (sshd) Failed SSH login from 60.214.233.147 (CN/China/-): 5 in the last 3600 secs - Sun Jun 12 03:42:04 2016
     
    RoldanLT likes this.
  3. Tracy Perry

    Tracy Perry Well-Known Member

    Actually.. unless you want one great big rule set it does (and those rule sets do have limits on their size). You can add them into the csf.deny but I prefer to have my rule sets broken down into ones for specific areas for my own edification. LFD doesn't detect the bad/recurring SMTP logons attempts in the CentMin mod shipping form when utilizing PostFix. So, the only effective way I have found is to create the csfpre/post.sh file so I can keep up with which is what. Same way with the pingback attacks. Shipped it doesn't detect them nor add them to csf.deny and I prefer to have that in it's own rule set.
    Also, don't forget - not everybody runs CentOS/CentMin - some use Ubuntu/Debian! :p


    Code:
    Jun  5 03:51:54 whiskey postfix/smtpd[9605]: connect from unknown[88.199.175.11]
    Jun  5 03:51:54 whiskey postfix/smtpd[9605]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 03:51:54 whiskey postfix/smtpd[9605]: disconnect from unknown[88.199.175.11]
    Jun  5 03:56:13 whiskey postfix/anvil[9622]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 03:51:54
    Jun  5 03:56:13 whiskey postfix/anvil[9622]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 03:51:54
    Jun  5 04:03:55 whiskey postfix/smtpd[11297]: connect from unknown[88.199.175.11]
    Jun  5 04:03:55 whiskey postfix/smtpd[11297]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 04:03:55 whiskey postfix/smtpd[11297]: disconnect from unknown[88.199.175.11]
    Jun  5 04:15:56 whiskey postfix/smtpd[13255]: connect from unknown[88.199.175.11]
    Jun  5 04:15:56 whiskey postfix/smtpd[13255]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 04:15:56 whiskey postfix/smtpd[13255]: disconnect from unknown[88.199.175.11]
    Jun  5 04:27:58 whiskey postfix/smtpd[15023]: connect from unknown[88.199.175.11]
    Jun  5 04:27:58 whiskey postfix/smtpd[15023]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 04:27:58 whiskey postfix/smtpd[15023]: disconnect from unknown[88.199.175.11]
    Jun  5 04:31:18 whiskey postfix/anvil[15035]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 04:27:58
    Jun  5 04:31:18 whiskey postfix/anvil[15035]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 04:27:58
    Jun  5 04:40:02 whiskey postfix/smtpd[16845]: connect from unknown[88.199.175.11]
    Jun  5 04:40:02 whiskey postfix/smtpd[16845]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 04:40:02 whiskey postfix/smtpd[16845]: disconnect from unknown[88.199.175.11]
    Jun  5 04:52:03 whiskey postfix/smtpd[18637]: connect from unknown[88.199.175.11]
    Jun  5 04:52:03 whiskey postfix/smtpd[18637]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 04:52:03 whiskey postfix/smtpd[18637]: disconnect from unknown[88.199.175.11]
    Jun  5 04:59:40 whiskey postfix/anvil[18749]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 04:52:03
    Jun  5 04:59:40 whiskey postfix/anvil[18749]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 04:52:03
    Jun  5 05:04:05 whiskey postfix/smtpd[20428]: connect from unknown[88.199.175.11]
    Jun  5 05:04:05 whiskey postfix/smtpd[20428]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 05:04:05 whiskey postfix/smtpd[20428]: disconnect from unknown[88.199.175.11]
    Jun  5 05:16:05 whiskey postfix/smtpd[22204]: connect from unknown[88.199.175.11]
    Jun  5 05:16:05 whiskey postfix/smtpd[22204]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 05:16:05 whiskey postfix/smtpd[22204]: disconnect from unknown[88.199.175.11]
    Jun  5 05:28:07 whiskey postfix/smtpd[24005]: connect from unknown[88.199.175.11]
    Jun  5 05:28:07 whiskey postfix/smtpd[24005]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 05:28:07 whiskey postfix/smtpd[24005]: disconnect from unknown[88.199.175.11]
    Jun  5 05:31:27 whiskey postfix/anvil[24105]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 05:28:07
    Jun  5 05:31:27 whiskey postfix/anvil[24105]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 05:28:07
    Jun  5 05:40:08 whiskey postfix/smtpd[25765]: connect from unknown[88.199.175.11]
    Jun  5 05:40:08 whiskey postfix/smtpd[25765]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 05:40:08 whiskey postfix/smtpd[25765]: disconnect from unknown[88.199.175.11]
    Jun  5 05:47:28 whiskey postfix/anvil[25894]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 05:40:08
    Jun  5 05:47:28 whiskey postfix/anvil[25894]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 05:40:08
    Jun  5 05:52:11 whiskey postfix/smtpd[27666]: connect from unknown[88.199.175.11]
    Jun  5 05:52:11 whiskey postfix/smtpd[27666]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 05:52:11 whiskey postfix/smtpd[27666]: disconnect from unknown[88.199.175.11]
    Jun  5 05:57:28 whiskey postfix/anvil[27715]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 05:52:11
    Jun  5 05:57:28 whiskey postfix/anvil[27715]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 05:52:11
    Jun  5 06:04:15 whiskey postfix/smtpd[29538]: connect from unknown[88.199.175.11]
    Jun  5 06:04:15 whiskey postfix/smtpd[29538]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 06:04:15 whiskey postfix/smtpd[29538]: disconnect from unknown[88.199.175.11]
    Jun  5 06:16:18 whiskey postfix/smtpd[31274]: connect from unknown[88.199.175.11]
    Jun  5 06:16:18 whiskey postfix/smtpd[31274]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 06:16:18 whiskey postfix/smtpd[31274]: disconnect from unknown[88.199.175.11]
    Jun  5 06:28:23 whiskey postfix/smtpd[617]: connect from unknown[88.199.175.11]
    Jun  5 06:28:23 whiskey postfix/smtpd[617]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 06:28:23 whiskey postfix/smtpd[617]: disconnect from unknown[88.199.175.11]
    Jun  5 06:31:43 whiskey postfix/anvil[640]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 06:28:23
    Jun  5 06:31:43 whiskey postfix/anvil[640]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 06:28:23
    Jun  5 06:40:27 whiskey postfix/smtpd[2467]: connect from unknown[88.199.175.11]
    Jun  5 06:40:27 whiskey postfix/smtpd[2467]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 06:40:27 whiskey postfix/smtpd[2467]: disconnect from unknown[88.199.175.11]
    Jun  5 06:43:47 whiskey postfix/anvil[2498]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 06:40:27
    Jun  5 06:43:47 whiskey postfix/anvil[2498]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 06:40:27
    Jun  5 06:52:27 whiskey postfix/smtpd[4224]: connect from unknown[88.199.175.11]
    Jun  5 06:52:27 whiskey postfix/smtpd[4224]: lost connection after CONNECT from unknown[88.199.175.11]
    Jun  5 06:52:27 whiskey postfix/smtpd[4224]: disconnect from unknown[88.199.175.11]
    Jun  5 06:58:28 whiskey postfix/anvil[4249]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 06:52:27
    Jun  5 06:58:28 whiskey postfix/anvil[4249]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 06:52:27
    Jun  5 07:04:28 whiskey postfix/smtpd[6051]: connect from unknown[88.199.175.11]
    Jun  5 07:04:28 whiskey postfix/smtpd[6051]: lost connection after CONNECT from unknown[88.199.175.11]
    
    
    and there are about 1800 more lines of this going through yesterday.

    Code:
    [root@whiskey log]# csf -g 88.199.175.11
    
    Chain            num   pkts bytes target     prot opt in     out     source               destination  
    No matches found for 88.199.175.11 in iptables
    
    
    IPSET: Set:dorks Match:88.199.175.11
    Code:
    [root@whiskey csf]# cat /etc/csf/csf.deny
    ###############################################################################
    # Copyright 2006-2015, Way to the Web Limited
    # URL: http://www.configserver.com
    # Email: sales@waytotheweb.com
    ###############################################################################
    # The following IP addresses will be blocked in iptables
    # One IP address per line
    # CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
    # Only list IP addresses, not domain names (they will be ignored)
    #
    # Note: If you add the text "do not delete" to the comments of an entry then
    # DENY_IP_LIMIT will ignore those entries and not remove them
    #
    # Advanced port+ip filtering allowed with the following format
    # tcp/udp|in/out|s/d=port|s/d=ip
    #
    # See readme.txt for more information regarding advanced port filtering
    #
    
     
    Last edited: Jun 13, 2016
  4. eva2000

    eva2000 Well-Known Member

    true.. not yet anyway haha :D
     

Share This Page