CSF Rule Sets for WP Pingback DDOS attacks

[TPerry]

I found a nice list of IP's that have been shown to be involved in WP Pingback DDOS attacks. I've placed them into a ruleset along with some others that I've found making numerous attempts to log into my mail services (one of them was over 2000 attempts in a few hours).

Since the rule set is over 7500 lines I've created an article and instructions on how to use them over at my Linux site (since I doubt that I could post that long of a post here).

You should be able to use them even without CSF - you would just have to incorporate them into a script that runs at startup.
The article is available at https://servinglinux.com/articles/entry/5-ipset-to-block-ip-s-via-csfpre-sh/ if anyone is interested in using them.

 

[eva2000]

FYI, CSF Firewall natively supports IPSET if detected so doesn't need csfpre.sh kind of setup

For CentOS + CentminMod LEMP stacks will automatically install ipset by default if centminmod detects your linux kernel supports it. Normal CentOS non-centminmod environments usually won't install ipset unless you install it and configure ipset yourself So CSF Firewall will auto detect on initial install if ipset is installed/supported so no special handling is needed other than usual csf firewall deny or allow syntax for blacklisting or whitelisting which will automatically use ipset if available https://centminmod.com/csf_firewall.html

 csf -r 2>&1 | grep IPSET      
csf: IPSET creating set chain_DENY
csf: IPSET creating set chain_6_DENY
csf: FASTSTART loading csf.deny (IPSET)
csf: IPSET creating set chain_ALLOWDYN
csf: IPSET creating set chain_6_ALLOWDYN
csf: IPSET creating set chain_ALLOW
csf: IPSET creating set chain_6_ALLOW
csf: FASTSTART loading csf.allow (IPSET)

auto banned ip in deny file 60.214.233.147 due to lfd (login failure daemon) detecting brute force sshd attacks

tail -1 /etc/csf/csf.deny 
60.214.233.147 # lfd: (sshd) Failed SSH login from 60.214.233.147 (CN/China/-): 5 in the last 3600 secs - Sun Jun 12 03:42:04 2016

grep ip in csf firewall 60.214.233.147 shows it has been added to IPSET chain_DENY set

 csf -g 60.214.233.147

Chain            num   pkts bytes target     prot opt in     out     source               destination      
No matches found for 60.214.233.147 in iptables


IPSET: Set:chain_DENY Match:60.214.233.147 Setting: File:/etc/csf/csf.deny


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination      
No matches found for 60.214.233.147 in ip6tables

csf.deny: 60.214.233.147 # lfd: (sshd) Failed SSH login from 60.214.233.147 (CN/China/-): 5 in the last 3600 secs - Sun Jun 12 03:42:04 2016

 

[TPerry]

FYI, CSF Firewall natively supports IPSET if detected so doesn't need csfpre.sh kind of setup

Actually.. unless you want one great big rule set it does (and those rule sets do have limits on their size). You can add them into the csf.deny but I prefer to have my rule sets broken down into ones for specific areas for my own edification. LFD doesn't detect the bad/recurring SMTP logons attempts in the CentMin mod shipping form when utilizing PostFix. So, the only effective way I have found is to create the csfpre/post.sh file so I can keep up with which is what. Same way with the pingback attacks. Shipped it doesn't detect them nor add them to csf.deny and I prefer to have that in it's own rule set.
Also, don't forget - not everybody runs CentOS/CentMin - some use Ubuntu/Debian!

Jun  5 03:51:54 whiskey postfix/smtpd[9605]: connect from unknown[88.199.175.11]
Jun  5 03:51:54 whiskey postfix/smtpd[9605]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 03:51:54 whiskey postfix/smtpd[9605]: disconnect from unknown[88.199.175.11]
Jun  5 03:56:13 whiskey postfix/anvil[9622]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 03:51:54
Jun  5 03:56:13 whiskey postfix/anvil[9622]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 03:51:54
Jun  5 04:03:55 whiskey postfix/smtpd[11297]: connect from unknown[88.199.175.11]
Jun  5 04:03:55 whiskey postfix/smtpd[11297]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 04:03:55 whiskey postfix/smtpd[11297]: disconnect from unknown[88.199.175.11]
Jun  5 04:15:56 whiskey postfix/smtpd[13255]: connect from unknown[88.199.175.11]
Jun  5 04:15:56 whiskey postfix/smtpd[13255]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 04:15:56 whiskey postfix/smtpd[13255]: disconnect from unknown[88.199.175.11]
Jun  5 04:27:58 whiskey postfix/smtpd[15023]: connect from unknown[88.199.175.11]
Jun  5 04:27:58 whiskey postfix/smtpd[15023]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 04:27:58 whiskey postfix/smtpd[15023]: disconnect from unknown[88.199.175.11]
Jun  5 04:31:18 whiskey postfix/anvil[15035]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 04:27:58
Jun  5 04:31:18 whiskey postfix/anvil[15035]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 04:27:58
Jun  5 04:40:02 whiskey postfix/smtpd[16845]: connect from unknown[88.199.175.11]
Jun  5 04:40:02 whiskey postfix/smtpd[16845]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 04:40:02 whiskey postfix/smtpd[16845]: disconnect from unknown[88.199.175.11]
Jun  5 04:52:03 whiskey postfix/smtpd[18637]: connect from unknown[88.199.175.11]
Jun  5 04:52:03 whiskey postfix/smtpd[18637]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 04:52:03 whiskey postfix/smtpd[18637]: disconnect from unknown[88.199.175.11]
Jun  5 04:59:40 whiskey postfix/anvil[18749]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 04:52:03
Jun  5 04:59:40 whiskey postfix/anvil[18749]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 04:52:03
Jun  5 05:04:05 whiskey postfix/smtpd[20428]: connect from unknown[88.199.175.11]
Jun  5 05:04:05 whiskey postfix/smtpd[20428]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 05:04:05 whiskey postfix/smtpd[20428]: disconnect from unknown[88.199.175.11]
Jun  5 05:16:05 whiskey postfix/smtpd[22204]: connect from unknown[88.199.175.11]
Jun  5 05:16:05 whiskey postfix/smtpd[22204]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 05:16:05 whiskey postfix/smtpd[22204]: disconnect from unknown[88.199.175.11]
Jun  5 05:28:07 whiskey postfix/smtpd[24005]: connect from unknown[88.199.175.11]
Jun  5 05:28:07 whiskey postfix/smtpd[24005]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 05:28:07 whiskey postfix/smtpd[24005]: disconnect from unknown[88.199.175.11]
Jun  5 05:31:27 whiskey postfix/anvil[24105]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 05:28:07
Jun  5 05:31:27 whiskey postfix/anvil[24105]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 05:28:07
Jun  5 05:40:08 whiskey postfix/smtpd[25765]: connect from unknown[88.199.175.11]
Jun  5 05:40:08 whiskey postfix/smtpd[25765]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 05:40:08 whiskey postfix/smtpd[25765]: disconnect from unknown[88.199.175.11]
Jun  5 05:47:28 whiskey postfix/anvil[25894]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 05:40:08
Jun  5 05:47:28 whiskey postfix/anvil[25894]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 05:40:08
Jun  5 05:52:11 whiskey postfix/smtpd[27666]: connect from unknown[88.199.175.11]
Jun  5 05:52:11 whiskey postfix/smtpd[27666]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 05:52:11 whiskey postfix/smtpd[27666]: disconnect from unknown[88.199.175.11]
Jun  5 05:57:28 whiskey postfix/anvil[27715]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 05:52:11
Jun  5 05:57:28 whiskey postfix/anvil[27715]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 05:52:11
Jun  5 06:04:15 whiskey postfix/smtpd[29538]: connect from unknown[88.199.175.11]
Jun  5 06:04:15 whiskey postfix/smtpd[29538]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 06:04:15 whiskey postfix/smtpd[29538]: disconnect from unknown[88.199.175.11]
Jun  5 06:16:18 whiskey postfix/smtpd[31274]: connect from unknown[88.199.175.11]
Jun  5 06:16:18 whiskey postfix/smtpd[31274]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 06:16:18 whiskey postfix/smtpd[31274]: disconnect from unknown[88.199.175.11]
Jun  5 06:28:23 whiskey postfix/smtpd[617]: connect from unknown[88.199.175.11]
Jun  5 06:28:23 whiskey postfix/smtpd[617]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 06:28:23 whiskey postfix/smtpd[617]: disconnect from unknown[88.199.175.11]
Jun  5 06:31:43 whiskey postfix/anvil[640]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 06:28:23
Jun  5 06:31:43 whiskey postfix/anvil[640]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 06:28:23
Jun  5 06:40:27 whiskey postfix/smtpd[2467]: connect from unknown[88.199.175.11]
Jun  5 06:40:27 whiskey postfix/smtpd[2467]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 06:40:27 whiskey postfix/smtpd[2467]: disconnect from unknown[88.199.175.11]
Jun  5 06:43:47 whiskey postfix/anvil[2498]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 06:40:27
Jun  5 06:43:47 whiskey postfix/anvil[2498]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 06:40:27
Jun  5 06:52:27 whiskey postfix/smtpd[4224]: connect from unknown[88.199.175.11]
Jun  5 06:52:27 whiskey postfix/smtpd[4224]: lost connection after CONNECT from unknown[88.199.175.11]
Jun  5 06:52:27 whiskey postfix/smtpd[4224]: disconnect from unknown[88.199.175.11]
Jun  5 06:58:28 whiskey postfix/anvil[4249]: statistics: max connection rate 1/60s for (smtp:88.199.175.11) at Jun  5 06:52:27
Jun  5 06:58:28 whiskey postfix/anvil[4249]: statistics: max connection count 1 for (smtp:88.199.175.11) at Jun  5 06:52:27
Jun  5 07:04:28 whiskey postfix/smtpd[6051]: connect from unknown[88.199.175.11]
Jun  5 07:04:28 whiskey postfix/smtpd[6051]: lost connection after CONNECT from unknown[88.199.175.11]

and there are about 1800 more lines of this going through yesterday.

[root@whiskey log]# csf -g 88.199.175.11

Chain            num   pkts bytes target     prot opt in     out     source               destination  
No matches found for 88.199.175.11 in iptables


IPSET: Set:dorks Match:88.199.175.11

[root@whiskey csf]# cat /etc/csf/csf.deny
###############################################################################
# Copyright 2006-2015, Way to the Web Limited
# URL: http://www.configserver.com
# Email: sales@waytotheweb.com
###############################################################################
# The following IP addresses will be blocked in iptables
# One IP address per line
# CIDR addressing allowed with a quaded IP (e.g. 192.168.254.0/24)
# Only list IP addresses, not domain names (they will be ignored)
#
# Note: If you add the text "do not delete" to the comments of an entry then
# DENY_IP_LIMIT will ignore those entries and not remove them
#
# Advanced port+ip filtering allowed with the following format
# tcp/udp|in/out|s/d=port|s/d=ip
#
# See readme.txt for more information regarding advanced port filtering
#

 

[eva2000]

Also, don't forget - not everybody runs CentOS/CentMin - some use Ubuntu/Debian!

true.. not yet anyway haha