Announcement

Collapse
No announcement yet.

[Feature Request] Honeybot for certain countries?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Feature Request] Honeybot for certain countries?

    Hello there,

    While checking the incidents page, Ive noticed that I have so many WordPress login attempts or Postfix SASL authentication failure from the countries that Im sure we dont have a client there.

    Is it possible that we have an option to blacklist immediately the IP addresses from certain countries that do specific things such as trying to access the WordPress login page or trying to authenticate to mail server or ... ?

    Thanks
    Iman

  • #2
    Hey

    Yeah I know about country block feature and its working fine. But I was looking for something to prevent visitors from certain countries to be able to authenticate or ... For example, I have several visitors from China and thats fine. But, meanwhile I have so many hack attempts from China as well. I dont want to block all of them but to block those who are trying to login to WordPress or trying to authenticating to mail server and ...

    That would be awesome if we have such feature in newer versions of Imunify360.

    Thank you,
    Iman

    Comment


    • #3
      Or why not do it visitors from country using a specific port or application type.
      Hostking | Since 2013 | Web Hosting | WordPress Web Hosting

      Comment


      • #4
        Yes! Thanks

        Comment


        • #5
          Hi,

          I just made a simple shell script to work with Imunify360-agent CLI which scans Imunify360 incidents and move IPs to blacklist based on some rules that user can specify it. For example, block any attempts to login to WordPress from certain countries or even block any attempts which are not in allowed countries list.

          I made it in the way that user can define different rules for different countries and incidents.

          How it use it:

          1. Connect to your server via SSH

          2. Make a directory for example in your home directory and name it ccprotect

          Code:
          mkdir /home/myuser/ccprotect
          3. Download the attached file and unzip it inside this directory.

          4. Go to rules directory and edit the files the way you need them. You need at least one .rule file and if you dont need the others you can remove them. I put a file named custom_rule.temp which you can use it as an empty template for your rules:

          Code:
          cp custom_rule.temp my_own_rule.rule
          5. In each rule, theres 5 variables that you need to fill them:

          RULE_NAME: Just a name for your rule.

          CMDS: Grab a part of incidents event and put it here. For example: "WordPress login attempt" or if you want to use more than one incident to check for, use it like this one: "WordPress login attempt|Dovecot brute force attack|Attempt to login using a non-existent user". Please note that you should put | sign between incidents and it works like OR bitwise operator.

          DENY_COUNTRIES: List of the countries that are checked for the incidents. If the IP address belongs to this list, it will be added to blacklist immediately. Country codes should be entered in two character format which you may find the whole list here:

          Complete list of Country Codes - ISO ALPHA-2, ISO ALPHA-3 and Numerical Country Codes


          ALLOW_COUNTRIES: List of the countries that wont be checked for the incidents. If the IP address doesnt belong to this list, it will be blocked immediately.

          MODE: allow or deny. "allow" means ALLOW_COUNTRIES is in action (more restrictive), and deny means the rules will only apply to DENY_COUNTRIES list.

          6. Once you are done with rule files, run the scan.sh file once to see if its working fine or not. It will read the incidents of last 10 minutes and apply the rules on them.

          7. If it worked successfully, you need to go "Plesk > Tools and Settings > Scheduled Tasks" then add a new task. Task Type should be "Run a command".
          Command should be "/home/iman/ccprotect/scan.sh" ( Make sure to replace the path with the path that youve uploaded the script there ).
          Run should be "Cron style" and the value "*/2 * * * *"
          Put a description for yourself and set the notify to errors only at first. Once it run successfully, you may edit it and set it to "Do not notify" because it will send you an email every two minutes.

          I hope this helps. It was very useful for myself. But please note that you need to check the rules file carefully and make sure you are not blocking yourself. Please use this on your own risk.

          Thanks,
          Iman

          Comment


          • #6
            > ImanGM, looks great! I passed it to our analytics team.
            > Thanks for sharing the script!

            You are welcome. Its working fine for me. If the analysis team accept the way Ive made it as a temporary solution, I guess it would be easy to monitor other logs such as MySQL and ... to identify brute-force or other kind of attacks and block them via Imunify360-agent...

            Cheers
            Iman

            Comment


            • #7
              To optimize resource usage after increasing of Black list (over 12k IPs), we use blocking with expiration. [code type="markup"] BLACKLIST_CMD=$(echo imunify360-agent blacklist ip add "$IP360" --expiration $(date +%s --date=2 day) --comment "Restricted Country Auto Block by script") [/code] Hope it will be useful for other participants

              Comment


              • #8
                Hi Eugeniu,

                Yeah! Thats a very good improvement. My list is filled with about 20,000 IPs right now and thats definitely a very large number. Ive used your improvement and modified my scan.sh file to expire the blocked IPs in 14 days since I need a more restricted policy.

                Thank you for sharing it.
                Iman

                Comment


                • #9
                  Hi, ImanGM, also i can share commands to clear Imunifys list of IPs from Black list with your comment. I used it for few servers, everything is working well [code type="markup"] systemctl stop imunify360 echo "delete from iplist where comment=Restricted Country Auto Block by script;" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db echo "vacuum;" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db systemctl restart wsshdict systemctl start imunify360 [/code] P.S. Thanks to support team of Imunify360 for this solutions

                  Comment


                  • #10
                    Hi ImanGM

                    Excellent solution, congratulations! I am very grateful to you for this solution. Helped me a lot!
                    The Imunify360 team has to see for this solution and deploy it natively in the tool. It would be really cool to have the option to create rules like that with the tool interface.

                    Thank you very much!

                    Comment


                    • #11
                      > The Imunify360 team has to see for this solution and deploy it natively in the tool. It would be really cool to have the option to create rules like that with the tool interface.

                      Hello Jhonathan,
                      Thank you for reaching out! This feature is already available in the Black List section.
                      Using the Country filter, you can filter the list by country origin. Enter a country name into the input field with autocomplete. Imunify360 will show the list of IPs of the chosen country.
                      You can find more information here https://docs.imunify360.com/dashboard/#black-list
                      Drop me a line if I can do anything else for you. Thank you.

                      Comment


                      • #12
                        Hi Sergey Khristich

                        The problem that there is no way to create custom rules. If you block the country the firewall will block all traffic from the country that put it.

                        The solution that ImanGM presented works perfectly with custom rules.

                        If there was an area inside the tool to create custom rules it would be very interesting.

                        Comment


                        • #13
                          > Hi Sergey Khristich
                          >
                          > The problem that there is no way to create custom rules. If you block the country the firewall will block all traffic from the country that put it.
                          > The solution that ImanGM presented works perfectly with custom rules.
                          > If there was an area inside the tool to create custom rules it would be very interesting.

                          Hello Jhonathan,
                          Can you please open a support ticket / feature request here https://cloudlinux.zendesk.com/hc/en-us/requests/new? And describe in more detail what specific exceptions are needed and our development team will definitely consider the request. You can post the ticket number here and well link this thread to it. Thank you.

                          Comment


                          • #14
                            Hi Sergey Khristich

                            Perfect, I reported my idea to the team. See the attachment for an interface idea for the tool.
                            I opened a ticket with the team. Now I will wait.

                            Thank you

                            Comment


                            • #15
                              > Hi Sergey Khristich
                              >
                              > Perfect, I reported my idea to the team. See the attachment for an interface idea for the tool.
                              > I opened a ticket with the team. Now I will wait.
                              >
                              > Thank you

                              Hello Jhonathan,
                              Thank you, our specialists will answer you on the ticket as quickly as possible.

                              Comment

                              Working...
                              X