Immediate drop

faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Immediate drop

Unread post by faris »

Is there a way to totally kill all connections from a particular IP?

We've been suffering from brute force attacks on Plesk itself, resulting in server load skyrocketing and the database becoming inaccessible.

When I see this happening, I immediately blacklist the IP in question, which adds it to the block list in the ASL firewall, but this does not kill off the existing connections from this IP, which continue to cause problems.

The same thing can happen with an email spam attack when the sender keeps sending via an existing open connection.

For Plesk, the safest thing to do is restart psa, but just today this took ages due to the high load.
For email, you tend to have to find the qmail-smtp processes and kill them off manually.

All of this is inconvenient and in some cases difficult to do when you are in panic mode.

So...

Is there a way to immediately stop an IP in its tracks? To drop all related connections -- everything, basically, from a particular IP?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Immediate drop

Unread post by prupert »

The package dsniff (in EPEL) provides a command called "tcpkill" which you can use to kill TCP connections. I think it is as simple as

Code: Select all

tcpkill host <offending-ip>
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Immediate drop

Unread post by faris »

That looks perfect but it comes in a collection of tools that would typically be used for bad things - which raises some concerns.

Still, one would hope that a package in epel would be trustworthy.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Immediate drop

Unread post by prupert »

What are your concerns exactly?
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Immediate drop

Unread post by faris »

I'm just being too cautious, that's all.

I tend to assume packages of this nature are more likely to be a target for "subversion" than others.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Immediate drop

Unread post by mikeshinn »

So when ASL shuns an IP, its going to block any additional traffic from that IP (shun rules come before any other INPUT rules, unless you add something custom to override that). So did you mean you want to kill off any half open connections before the kernel times them out, or kill off any threads or applications that IP might have been using, or both, or something else?
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Immediate drop

Unread post by faris »

I don't honestly know the technical situation on what's happening, so I'd better describe a couple of the issues:

1) spammer connected on port 25, authenticated using guessed or stolen credentials and sending spam, one after another, in one long connection. Adding IP to firewall ineffective. Must kill qmail-smtp for qmail or whatever the postfix equivalent is to stop emails being added to the queue.

2) Attacker attempting to brute-force Plesk admin login and causing a DoS as a result. Adding IP to firewall is ineffective. Must restart sw-cp-server to kill attack. (We nevertheless really need a rule to look for and block Plesk 12/Onyx failed logins ASAP please, as discussed in a support case a month or two back)
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8337
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Immediate drop

Unread post by scott »

How are you doing the drop? If its coming in as an Add (-A) its not going to do anything since its going to land after a NEW or otherwise RELATED,ESTABLISHED rule. -I INPUT 1 is going to put the rule at the very start of the list. Normally specifying the 1 here is kind of overkill, but if you're running into a situation where you cant be sure that the VPS kernel is ignoring a rule (and they DO) because of the position in the stack, this is a way to debug that.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Immediate drop

Unread post by faris »

Ah!

I've just been doing an asl- bl [ip] rather than manually adding a rule.

And of course asl -bl adds them after the state=related/established rule.

So how about this instead then:

killip.sh

Code: Select all

#!/bin/bash
#usage: killip.sh IP

#KILL THEM NOW
iptables -I INPUT 1 -s $1 -j DROP

#BLACKLIST THEM SO THEY DON'T COME BACK
asl -bl $1
Is it worth adding iptables -I INPUT 2 -d $1 -j DROP as well?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8337
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Immediate drop

Unread post by scott »

Yes absolutely what you're doing there will totally work. In a product Im a little more reluctant to do it that way (and we used to, for the record) since you may want to have something that always comes before that (whitelists, etc).

Using -I and a position on INPUT guarantees it will be the very first thing netfilter is going to process in the stack which is a great way to see when/where the firewall component is starting to break down (just keep adding til it dies) or how other parts of the policy affect performance.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Immediate drop

Unread post by mikeshinn »

The establish/related rule is being moved to after the blacklist family.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Immediate drop

Unread post by faris »

Is this in v5?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4132
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Immediate drop

Unread post by mikeshinn »

Yes.
Post Reply