The package I am going to be using is called fail2ban. Fail2ban scans log files and bans IP addresses that produce too many failed login attempts. It then updates firewall rules to reject the attackers IP address.

Step 1: Installing the fail2ban package

Type or copy and paste the following into your server.

apt-get install fail2ban

Once this is done, you are now setup and now you have to setup the configuration files.

Step 2:

Edit /etc/fail2ban/fail2ban.conf

nano -w /etc/fail2ban/fail2ban.conf

Your fail2ban.conf should look something like this (the commented lines have been removed)

[Definition]
loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /tmp/fail2ban.sock

Step 3:

Edit /etc/fail2ban/jail.conf

nano -w /etc/fail2ban/jail.conf

Your jail.conf should look something like this (again comments have been removed)

[DEFAULT]
ignoreip = 127.0.0.1
bantime = 18000
maxretry = 3

backend = polling
destemail = youremail@domain.com
action = iptables[name=%(__name__)s, port=%(port)s]
mail-whois-lines[name=%(__name__)s, dest=%(destemail)s, logpath=%(logpath)s]

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

[apache]

enabled = false
port = http
filter = apache-auth
logpath = /var/log/apache*/*access.log
maxretry = 6

[apache-noscript]

enabled = false
port = http
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[vsftpd]

enabled = false
port = ftp
filter = vsftpd
logpath = /var/log/auth.log
maxretry = 6

[proftpd]

enabled = false
port = ftp
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6

[wuftpd]

enabled = false
port = ftp
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6

[postfix]

enabled = false
port = smtp
filter = postfix
logpath = /var/log/mail.log

[couriersmtp]

enabled = true
port = smtp
filter = couriersmtp
logpath = /var/log/mail.log

[courierimap]

enabled = true
port = imap2
filter = courierlogin
failregex = imapd: LOGIN FAILED.*ip=\[.*:\]
logpath = /var/log/mail.log
maxretry = 5

[courierpop3]

enabled = true
port = pop3
filter = courierlogin
failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:\]
logpath = /var/log/mail.log
maxretry = 5

[sasl]

enabled = true
port = smtp
filter = sasl
failregex = warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed
logpath = /var/log/mail.log

Please change the email section if you are going to directly copy and paste this config. Right now, when someone attempts a bruteforce attack, fail2ban will firewall the ip address, and send an email to that email address with the whois information, and the log information from the attack.

You can now start/restart fail2ban, I recommend using a restart just in case fail2ban is already running.

/etc/init.d/fail2ban restart

Please don’t use this as your only security measure. This is just one step you can take to protecting your servers.

I’m sure there are many ways to prevent these people from harvesting your bandwidth, if you use apache with mod_rewrite, just by adding a couple lines of text to a file called .htaccess will do wonders.

What is Hotlinking?

Straight from Wikipedia:

Hotlinking aka. Inline linking is the placing of a linked object, often an image, from one site into a web page belonging to a second site. The second site is said to have an inline link to the site where the object is located. Inline linking is also known as leeching, direct linking or bandwidth theft.

Let’s start by opening up a text editor and creating a file called .htaccess In this file you want to put something like this:


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?attackofthegamer.com/.*$ [NC]
RewriteRule \.(gz|zip|rar|gif|jpg|js|css)$ - [F]


Basically what this does is check if a request to any file with a .gz .zip .rar .gif .jpg .js .css extension comes from the referring URL http://www.attackofthegamer.com If the request comes from a referral that isn’t http://www.attackofthegamer.com it’s rejected. You will want to swap the domain for your own to make it work.

If you are just protecting images. You can mess with the culprit and change the image on them to something of your choice, with a comical outcome. Just create a .htaccess file that looks like this.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(png|gif|jpg)$ http://www.mydomain.com/badimage.gif [R,L]

Just change the domain name, and the url to the image you want to swap with and you are set. Once you have the .htaccess file created use your FTP program and upload it to each directory you want to protect.

Voila, you should now be protecting against bandwidth pirates. Happy Hunting.