Bots are everywhere – even on your Tor(ified) RaspberryPi

When you put something Online, you should expect some bot attacks. Nothing to be worried about. You need just to identify the attacker ip's, and to block them. That's an easy task.

Let's see how to do it.


IDENTIFY ATTEMP(S)

[root@jolek78-rpi3 ~]# cat /var/log/secure |less [...] Jul 21 09:25:31 jolek78-rpi3 sshd [zzzz]: reverse mapping checking getaddrinfo for host-xx.xx.xx.xx [xx.xx.xx.xx] failed – POSSIBLE BREAK-IN ATTEMPT! Jul 21 09:25:31 jolek78-rpi3 sshd [zzzz]: Invalid user xxxx from xxx.xxx.xxx.xxx port xx [...]

[root@jolek78-rpi3 ~]# cat -n /var/log/secure |grep -w “Invalid user” | awk '{print $11}' | wc -l 148


IDENTIFY IP'S

[root@jolek78-rpi3 ~]# cat -n /var/log/secure |grep -w “Invalid user” | awk '{print $11}' | sort -u 103.xxx.xxx.xxx 113.xxx.xxx.xxx 115.xxx.xxx.xxx [...]


CREATE A BLACKLIST

[root@jolek78-rpi3 Iptables]# iptables -N BLACKLIST [root@jolek78-rpi3 Iptables]# iptables -I INPUT 1 -j BLACKLIST

[root@jolek78-rpi3 Iptables]# iptables -L BLACKLIST Chain BLACKLIST (1 references) target prot opt source destination

[root@jolek78-rpi3 Iptables]# iptables -A BLACKLIST -s 103.xxx.xxx.xxx -j DROP [root@jolek78-rpi3 Iptables]# iptables -A BLACKLIST -s 113.xxx.xxx.xxx -j DROP [root@jolek78-rpi3 Iptables]# iptables -A BLACKLIST -s 115.xxx.xxx.xxx -j DROP [....]


CREATE A BANNED IP LIST SCRIPT

[root@jolek78-rpi3 Iptables]# vim blacklist.sh

BASE=/sbin/iptables CONF=/etc/sysconfig/iptables $BASE -F BLACKLIST

cat -n /var/log/secure |grep -w “Invalid user” | awk '{print $11}' | while read IP

do $BASE -A BLACKLIST -s $IP -j DROP done

$BASE-save > $CONF


VERIFY

[root@jolek78-rpi3 Iptables]# cat -n /var/log/secure |grep -w “Invalid user” | awk '{print $11}' |uniq -u 113.xxx.xxx.xxx 185.xxx.xxx.xxx 41.xxx.xxx.xxx 115.xxx.xxx.xxx [....]

[root@jolek78-rpi3 Iptables]# iptables -L BLACKLIST -n |tail -5 DROP all — 68.xxx.xxx.xxx 0.0.0.0/0 DROP all — 68.xxx.xxx.xxx 0.0.0.0/0 DROP all — 41.xxx.xxx.xxx 0.0.0.0/0 DROP all — 115.xxx.xxx.xxx 0.0.0.0/0 [....]


CREATE A CRONJOB EVERY 10 MINUTES

[root@jolek78-rpi3 Iptables]# crontab -e */10 * * * * /home/jolek78/Iptables/blacklist.sh

[root@jolek78-rpi3 Iptables]# systemctl restart crond

[root@jolek78-rpi3 Iptables]# systemctl status crond ● crond.service – Command Scheduler Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-07-21 12:37:46 BST; 9s ago Main PID: 10402 (crond) CGroup: /system.slice/crond.service └─10402 /usr/sbin/crond -n

[root@jolek78-rpi3 Iptables]# crontab -l */10 * * * * /home/jolek78/Iptables/blacklist.sh [root@jolek78-rpi3 Iptables]#


Music: Winter Night Artist: The Rinn || Album: Stories Of The Green Fairy

— Jolek78