Tuesday, October 25, 2016

fail2ban: autoreporting attack to www.abuseipdb.com

Create file /etc/fail2ban/action.d/abuseipdb.conf
# Fail2Ban configuration file
#
# Author: IGAM Muliarsa
#
#

# Action to report IP address to abuseipdb.com
# you must sign up in https://www.abuseipdb.com
# This action requires API_KEY
# https://www.abuseipdb.com/report/json?key=[API_KEY]&category=[CATEGORIES]&comment=[COMMENT]&ip=[IP]
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
#   * The recidive where the IP has been banned multiple times
#   * Where maxretry has been set quite high, beyond the normal user typing
#     password incorrectly.
#   * For filters that have a low likelyhood of receiving human errors
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = curl --data 'key=<apikey>' --data 'category=<category>' --data 'ip=<ip>' --data-urlencode 'comment=<matches>' --user-agent 'fail2ban v0.8.12' 'https://www.abuseipdb.com/report/json'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban =

[Init]

# Option:  apikey
# Notes    your user apikey from abuseipdb.com user account
# Values:  STRING  Default: None
#
apikey = REPLACE_WITH_YOUR_API_KEY

# Option:  service
# Notes    service name you are reporting on, typically aligns with filter name
# Values:  STRING  Default: None
#
#service =
Edit /etc/fail2ban/jail.conf
...
[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[]
        mlocaldb[category=10]
        abuseipdb[category=4,18,22]
...
To find available category, follow this rule.
Restart your fail2ban.
Tested on Fail2ban 0.9.x

References:

  • https://www.abuseipdb.com/api.html
Posted by at
Labels:

Thursday, October 13, 2016

PHP >= 5.5: password hashing

To hash password (using default algorithm bcrypt)

$mypass = "password";
$myhash = password_hash($mypass, PASSWORD_DEFAULT);

To verify password

$brutepass = "test";
password_verify ($brutepass, $myhash); // true or false

Storing password in database

"Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)." Maybe varchar(255)

Reference:

  • http://www.php.net/manual/en/faq.passwords.php
  • http://id1.php.net/manual/en/book.password.php
Posted by at
Labels:

Tuesday, October 11, 2016

PHP 5: GeoIP

Install PHP GeoIP

# apt-get install geoip-bin geoip-database geoip-database-extra php5-geoip php5-geos

Updating GeoIP database from SID (choose your mirror)

# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database-extra_20160912-1_all.deb
# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database_20160912-1_all.deb
# dpkg -i geoip-database_20160912-1_all.deb
# dpkg -i geoip-database-extra_20160912-1_all.deb  

To convert IP to integer

$ip = ip2long('119.249.54.66');

To convert integer to IP

$hostip = long2ip($ip);

To get 3 chars country code 

echo geoip_country_code3_by_name($hostip);

To get country name 

echo geoip_country_name_by_name($hostip);

To get country code and region

echo var_dump(geoip_region_by_name($hostip))."<br>";
 Error: mod_fcgid: stderr: PHP Warning:  geoip_region_by_name(): Required database not available at /usr/share/GeoIP/GeoIPRegion.dat. ??? May be required subscription premium service ??? 

Reference:

http://www.php.net/manual/en/book.geoip.php 
Posted by at
Labels:

China DDOS SSH 2016-10-11 Involving 12 IPs

Log:
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]
Oct 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11:  [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]
Oct 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11:  [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11:  [preauth]
Here is attacker IPs:
  1. 119.249.54.66
  2. 119.249.54.68
  3. 119.249.54.75
  4. 119.249.54.88
  5. 121.18.238.104
  6. 121.18.238.109
  7. 121.18.238.114
  8. 121.18.238.98
  9. 221.194.47.208
  10. 221.194.47.224
  11. 221.194.47.229
  12. 221.194.47.249
 Others IPs before attact begin:
  1. 113.108.21.16
    Oct 11 03:05:36    mars sshd[16159]:    Did not receive identification string from    113.108.21.16   
  2. 124.232.156.78
    Oct 10 21:32:00    mars sshd[14650]:    Received disconnect from    124.232.156.78    :  11: Bye Bye [preauth]
  3. 183.129.160.229
    Oct 11 03:05:36    mars sshd[16159]:    Did not receive identification string from    113.108.21.16   
Sequence for each IP attempt:
No Time  From Method Auth No Time  From Method Auth
1 2016-10-11 4:40 121.18.238.114 :  11:  [preauth] 21 2016-10-11 5:30 119.249.54.66 :  11:  [preauth]
2 2016-10-11 4:43 119.249.54.75 :  11:  [preauth] 22 2016-10-11 5:31 121.18.238.104 :  11:  [preauth]
3 2016-10-11 4:44 221.194.47.208 :  11:  [preauth] 23 2016-10-11 5:37 221.194.47.229 :  11:  [preauth]
4 2016-10-11 4:45 221.194.47.229 :  11:  [preauth] 24 2016-10-11 5:40 121.18.238.104 :  11:  [preauth]
5 2016-10-11 4:45 221.194.47.224 :  11:  [preauth] 25 2016-10-11 5:47 119.249.54.88 :  11:  [preauth]
6 2016-10-11 4:52 221.194.47.249 :  11:  [preauth] 26 2016-10-11 5:51 121.18.238.104 :  11:  [preauth]
7 2016-10-11 4:53 121.18.238.98 :  11:  [preauth] 27 2016-10-11 5:54 119.249.54.88 :  11:  [preauth]
8 2016-10-11 4:56 119.249.54.68 :  11:  [preauth] 28 2016-10-11 5:57 121.18.238.98 :  11:  [preauth]
9 2016-10-11 4:57 221.194.47.208 :  11:  [preauth] 29 2016-10-11 6:13 221.194.47.208 [preauth]
10 2016-10-11 4:57 121.18.238.104 :  11:  [preauth] 30 2016-10-11 6:16 121.18.238.104 :  11:  [preauth]
11 2016-10-11 4:58 221.194.47.229 :  11:  [preauth] 31 2016-10-11 6:34 121.18.238.114 :  11:  [preauth]
12 2016-10-11 5:02 221.194.47.249 :  11:  [preauth] 32 2016-10-11 6:40 119.249.54.68 :  11:  [preauth]
13 2016-10-11 5:08 221.194.47.249 :  11:  [preauth] 33 2016-10-11 6:41 119.249.54.75 :  11:  [preauth]
14 2016-10-11 5:09 119.249.54.68 :  11:  [preauth] 34 2016-10-11 6:41 221.194.47.249 :  11:  [preauth]
15 2016-10-11 5:16 121.18.238.109 :  11:  [preauth] 35 2016-10-11 6:50 121.18.238.98 :  11:  [preauth]
16 2016-10-11 5:18 119.249.54.75 :  11:  [preauth] 36 2016-10-11 7:55 119.249.54.88 :  11:  [preauth]
17 2016-10-11 5:18 121.18.238.114 :  11:  [preauth] 37 2016-10-11 8:01 221.194.47.208 :  11:  [preauth]
18 2016-10-11 5:25 221.194.47.224 :  11:  [preauth] 38 2016-10-11 8:03 121.18.238.104 :  11:  [preauth]
19 2016-10-11 5:26 119.249.54.66 :  11:  [preauth] 39 2016-10-11 8:04 119.249.54.75 :  11:  [preauth]
20 2016-10-11 5:29 221.194.47.229 :  11:  [preauth]        
 It is better to block those IP in block /24:
For iptables:
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 121.18.238.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 221.194.47.0/24 -j DROP
If you don't have business with them  just block all incoming connection from them:
# iptables -A INPUT -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -s 121.18.238.0/24 -j DROP
# iptables -A INPUT s 221.194.47.0/24 -j DROP

Posted by at
Labels:

Monday, October 10, 2016

PHP >5.3: DateTime

Example construct Datetime object

$datetime = new DateTime("now");
$datetime = new DateTime('2000-01-01');

Example to print Datetime

echo $datetime->format('Y-m-d\TH:i:s');

Example to add a hour

$datetime->add(new DateInterval('PT1H'));

Example to add 10 day

$datetime->add(new DateInterval('P10D'));
Note:
  • P: Period
  • T: Time

Comparing 2 Datetime

$datetime = new DateTime('2016-10-10');
$datetime2 = new DateTime('2016-10-9');
echo var_dump($datetime > $datetime2).' $datetime > $datetime2 <br>'; // bool(true) $datetime > $datetime2 
echo var_dump($datetime < $datetime2).' $datetime < $datetime2 <br>'; // bool(false) $datetime < $datetime2 


References:
  • http://www.php.net/manual/en/class.datetime.php 

Posted by at
Labels:
Subscribe to: Comments (Atom)