Immediate drop
Immediate drop
Is there a way to totally kill all connections from a particular IP?
We've been suffering from brute force attacks on Plesk itself, resulting in server load skyrocketing and the database becoming inaccessible.
When I see this happening, I immediately blacklist the IP in question, which adds it to the block list in the ASL firewall, but this does not kill off the existing connections from this IP, which continue to cause problems.
The same thing can happen with an email spam attack when the sender keeps sending via an existing open connection.
For Plesk, the safest thing to do is restart psa, but just today this took ages due to the high load.
For email, you tend to have to find the qmail-smtp processes and kill them off manually.
All of this is inconvenient and in some cases difficult to do when you are in panic mode.
So...
Is there a way to immediately stop an IP in its tracks? To drop all related connections -- everything, basically, from a particular IP?
We've been suffering from brute force attacks on Plesk itself, resulting in server load skyrocketing and the database becoming inaccessible.
When I see this happening, I immediately blacklist the IP in question, which adds it to the block list in the ASL firewall, but this does not kill off the existing connections from this IP, which continue to cause problems.
The same thing can happen with an email spam attack when the sender keeps sending via an existing open connection.
For Plesk, the safest thing to do is restart psa, but just today this took ages due to the high load.
For email, you tend to have to find the qmail-smtp processes and kill them off manually.
All of this is inconvenient and in some cases difficult to do when you are in panic mode.
So...
Is there a way to immediately stop an IP in its tracks? To drop all related connections -- everything, basically, from a particular IP?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Immediate drop
The package dsniff (in EPEL) provides a command called "tcpkill" which you can use to kill TCP connections. I think it is as simple as
Code: Select all
tcpkill host <offending-ip>
Lemonbit Internet Dedicated Server Management
Re: Immediate drop
That looks perfect but it comes in a collection of tools that would typically be used for bad things - which raises some concerns.
Still, one would hope that a package in epel would be trustworthy.
Still, one would hope that a package in epel would be trustworthy.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Immediate drop
I'm just being too cautious, that's all.
I tend to assume packages of this nature are more likely to be a target for "subversion" than others.
I tend to assume packages of this nature are more likely to be a target for "subversion" than others.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Immediate drop
So when ASL shuns an IP, its going to block any additional traffic from that IP (shun rules come before any other INPUT rules, unless you add something custom to override that). So did you mean you want to kill off any half open connections before the kernel times them out, or kill off any threads or applications that IP might have been using, or both, or something else?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Immediate drop
I don't honestly know the technical situation on what's happening, so I'd better describe a couple of the issues:
1) spammer connected on port 25, authenticated using guessed or stolen credentials and sending spam, one after another, in one long connection. Adding IP to firewall ineffective. Must kill qmail-smtp for qmail or whatever the postfix equivalent is to stop emails being added to the queue.
2) Attacker attempting to brute-force Plesk admin login and causing a DoS as a result. Adding IP to firewall is ineffective. Must restart sw-cp-server to kill attack. (We nevertheless really need a rule to look for and block Plesk 12/Onyx failed logins ASAP please, as discussed in a support case a month or two back)
1) spammer connected on port 25, authenticated using guessed or stolen credentials and sending spam, one after another, in one long connection. Adding IP to firewall ineffective. Must kill qmail-smtp for qmail or whatever the postfix equivalent is to stop emails being added to the queue.
2) Attacker attempting to brute-force Plesk admin login and causing a DoS as a result. Adding IP to firewall is ineffective. Must restart sw-cp-server to kill attack. (We nevertheless really need a rule to look for and block Plesk 12/Onyx failed logins ASAP please, as discussed in a support case a month or two back)
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Immediate drop
How are you doing the drop? If its coming in as an Add (-A) its not going to do anything since its going to land after a NEW or otherwise RELATED,ESTABLISHED rule. -I INPUT 1 is going to put the rule at the very start of the list. Normally specifying the 1 here is kind of overkill, but if you're running into a situation where you cant be sure that the VPS kernel is ignoring a rule (and they DO) because of the position in the stack, this is a way to debug that.
Re: Immediate drop
Ah!
I've just been doing an asl- bl [ip] rather than manually adding a rule.
And of course asl -bl adds them after the state=related/established rule.
So how about this instead then:
killip.sh
Is it worth adding iptables -I INPUT 2 -d $1 -j DROP as well?
I've just been doing an asl- bl [ip] rather than manually adding a rule.
And of course asl -bl adds them after the state=related/established rule.
So how about this instead then:
killip.sh
Code: Select all
#!/bin/bash
#usage: killip.sh IP
#KILL THEM NOW
iptables -I INPUT 1 -s $1 -j DROP
#BLACKLIST THEM SO THEY DON'T COME BACK
asl -bl $1
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Immediate drop
Yes absolutely what you're doing there will totally work. In a product Im a little more reluctant to do it that way (and we used to, for the record) since you may want to have something that always comes before that (whitelists, etc).
Using -I and a position on INPUT guarantees it will be the very first thing netfilter is going to process in the stack which is a great way to see when/where the firewall component is starting to break down (just keep adding til it dies) or how other parts of the policy affect performance.
Using -I and a position on INPUT guarantees it will be the very first thing netfilter is going to process in the stack which is a great way to see when/where the firewall component is starting to break down (just keep adding til it dies) or how other parts of the policy affect performance.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Immediate drop
The establish/related rule is being moved to after the blacklist family.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Immediate drop
Is this in v5?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>