store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Jan 16, 2017 1:14 pm

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: Immediate drop
Unread postPosted: Mon Dec 05, 2016 7:44 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2306
Is there a way to totally kill all connections from a particular IP?

We've been suffering from brute force attacks on Plesk itself, resulting in server load skyrocketing and the database becoming inaccessible.

When I see this happening, I immediately blacklist the IP in question, which adds it to the block list in the ASL firewall, but this does not kill off the existing connections from this IP, which continue to cause problems.

The same thing can happen with an email spam attack when the sender keeps sending via an existing open connection.

For Plesk, the safest thing to do is restart psa, but just today this took ages due to the high load.
For email, you tend to have to find the qmail-smtp processes and kill them off manually.

All of this is inconvenient and in some cases difficult to do when you are in panic mode.

So...

Is there a way to immediately stop an IP in its tracks? To drop all related connections -- everything, basically, from a particular IP?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Mon Dec 05, 2016 8:59 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 570
Location: Netherlands
The package dsniff (in EPEL) provides a command called "tcpkill" which you can use to kill TCP connections. I think it is as simple as
Code:
tcpkill host <offending-ip>

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Mon Dec 05, 2016 9:46 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2306
That looks perfect but it comes in a collection of tools that would typically be used for bad things - which raises some concerns.

Still, one would hope that a package in epel would be trustworthy.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Tue Dec 06, 2016 1:14 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 570
Location: Netherlands
What are your concerns exactly?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Wed Dec 07, 2016 6:32 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2306
I'm just being too cautious, that's all.

I tend to assume packages of this nature are more likely to be a target for "subversion" than others.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Thu Dec 08, 2016 6:47 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3975
Location: Chantilly, VA
So when ASL shuns an IP, its going to block any additional traffic from that IP (shun rules come before any other INPUT rules, unless you add something custom to override that). So did you mean you want to kill off any half open connections before the kernel times them out, or kill off any threads or applications that IP might have been using, or both, or something else?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Mon Jan 09, 2017 12:50 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2306
I don't honestly know the technical situation on what's happening, so I'd better describe a couple of the issues:

1) spammer connected on port 25, authenticated using guessed or stolen credentials and sending spam, one after another, in one long connection. Adding IP to firewall ineffective. Must kill qmail-smtp for qmail or whatever the postfix equivalent is to stop emails being added to the queue.

2) Attacker attempting to brute-force Plesk admin login and causing a DoS as a result. Adding IP to firewall is ineffective. Must restart sw-cp-server to kill attack. (We nevertheless really need a rule to look for and block Plesk 12/Onyx failed logins ASAP please, as discussed in a support case a month or two back)

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Wed Jan 11, 2017 9:19 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8273
Location: earth
How are you doing the drop? If its coming in as an Add (-A) its not going to do anything since its going to land after a NEW or otherwise RELATED,ESTABLISHED rule. -I INPUT 1 is going to put the rule at the very start of the list. Normally specifying the 1 here is kind of overkill, but if you're running into a situation where you cant be sure that the VPS kernel is ignoring a rule (and they DO) because of the position in the stack, this is a way to debug that.


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Wed Jan 11, 2017 10:21 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2306
Ah!

I've just been doing an asl- bl [ip] rather than manually adding a rule.

And of course asl -bl adds them after the state=related/established rule.

So how about this instead then:

killip.sh
Code:
#!/bin/bash
#usage: killip.sh IP

#KILL THEM NOW
iptables -I INPUT 1 -s $1 -j DROP

#BLACKLIST THEM SO THEY DON'T COME BACK
asl -bl $1


Is it worth adding iptables -I INPUT 2 -d $1 -j DROP as well?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Wed Jan 11, 2017 7:16 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8273
Location: earth
Yes absolutely what you're doing there will totally work. In a product Im a little more reluctant to do it that way (and we used to, for the record) since you may want to have something that always comes before that (whitelists, etc).

Using -I and a position on INPUT guarantees it will be the very first thing netfilter is going to process in the stack which is a great way to see when/where the firewall component is starting to break down (just keep adding til it dies) or how other parts of the policy affect performance.


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Thu Jan 12, 2017 2:44 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3975
Location: Chantilly, VA
The establish/related rule is being moved to after the blacklist family.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
Reply with quote  
 Post subject: Re: Immediate drop
Unread postPosted: Sun Jan 15, 2017 8:58 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2306
Is this in v5?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: