Archives par mot-clé : iptables

Liste des IP qui essayent d’exploiter la faille Boaform « /boaform/admin/formLogin »

Publié le par
1

Pour plus d’information : https://nvd.nist.gov/vuln/detail/CVE-2020-8958

Un exemple de logs :

222.137.98.210 - - [29/Jul/2021:03:47:33 +0200] "GET /boaform/admin/formLogin?username=ec8&psd=ec8 HTTP/1.0" 301 650 "-" "-"
114.134.24.46 - - [29/Jul/2021:06:02:40 +0200] "GET /boaform/admin/formLogin?username=ec8&psd=ec8 HTTP/1.0" 301 650 "-" "-"

La liste des IP sur mon serveur :

# zgrep "/boaform/admin/formLogin" /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "/usr/sbin/iptables -A INPUT -s " $1 " -j DROP "}'
/usr/sbin/iptables -A INPUT -s 62.171.164.100 -j DROP 
/usr/sbin/iptables -A INPUT -s 93.174.89.216 -j DROP 
/usr/sbin/iptables -A INPUT -s 103.145.13.120 -j DROP 
/usr/sbin/iptables -A INPUT -s 111.59.6.79 -j DROP 
/usr/sbin/iptables -A INPUT -s 116.24.189.232 -j DROP 
/usr/sbin/iptables -A INPUT -s 125.41.13.162 -j DROP 
/usr/sbin/iptables -A INPUT -s 125.44.215.247 -j DROP 
/usr/sbin/iptables -A INPUT -s 134.122.43.75 -j DROP 
/usr/sbin/iptables -A INPUT -s 136.144.41.150 -j DROP 
/usr/sbin/iptables -A INPUT -s 143.110.208.55 -j DROP 
/usr/sbin/iptables -A INPUT -s 143.198.235.203 -j DROP 
/usr/sbin/iptables -A INPUT -s 143.198.66.250 -j DROP 
/usr/sbin/iptables -A INPUT -s 147.182.179.241 -j DROP 
/usr/sbin/iptables -A INPUT -s 147.182.179.242 -j DROP 
/usr/sbin/iptables -A INPUT -s 147.182.179.243 -j DROP 
/usr/sbin/iptables -A INPUT -s 147.182.179.244 -j DROP 
/usr/sbin/iptables -A INPUT -s 147.182.179.245 -j DROP 
/usr/sbin/iptables -A INPUT -s 165.227.42.8 -j DROP 
/usr/sbin/iptables -A INPUT -s 165.232.146.19 -j DROP 
/usr/sbin/iptables -A INPUT -s 167.99.184.39 -j DROP 
/usr/sbin/iptables -A INPUT -s 167.99.189.51 -j DROP 
/usr/sbin/iptables -A INPUT -s 205.185.115.135 -j DROP 
/usr/sbin/iptables -A INPUT -s 209.141.41.11 -j DROP 
/usr/sbin/iptables -A INPUT -s 209.141.41.98 -j DROP 
/usr/sbin/iptables -A INPUT -s 209.141.50.63 -j DROP 
/usr/sbin/iptables -A INPUT -s 209.141.54.8 -j DROP

Actuellement j’ai 198 IP qui sont blacklistés :

# cat /etc/iptables/rules.v4 | grep "DROP" | wc -l
198

Liste des IP qui essayent d’exploiter la faille MobileIron RCE CVE-2020-15505

Publié le par
Répondre

Pour plus d’information : https://perchsecurity.com/perch-news/cve-spotlight-mobileiron-rce-cve-2020-15505/

Exemple d’un logs :

45.146.165.123 - - [24/Jun/2021:03:49:36 +0200] "POST /mifs/.;/services/LogService HTTP/1.1" 302 5371 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.165.123 - - [24/Jun/2021:03:49:46 +0200] "GET /user/auth/login HTTP/1.1" 200 13385 "-/mifs/.;/services/LogService" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

J’ai donc fait :

# zgrep "/mifs/." /var/log/apache2/access.humhub.log.*gz | sed 's/:/ /g' | awk '{print $2}' | sort -n | uniq | awk '{print "iptables -A INPUT -s " $1 " -j DROP "}'
iptables -A INPUT -s 45.146.165.123 -j DROP

Vu qu’il y avait qu’une seule IP, j’ai pas fait de script:

# iptables -A INPUT -s 45.146.165.123 -j DROP
# iptables-save > /etc/iptables/rules.v4

A suivre.

Liste des IP filtrées (DROP) sur mes serveurs

Publié le par
2

Voici la liste (fichier /etc/iptables/rules.v4 ):

-A INPUT -s 112.126.90.41/32 -j DROP
-A INPUT -s 116.147.2.110/32 -j DROP
-A INPUT -s 122.14.209.13/32 -j DROP
-A INPUT -s 158.69.13.199/32 -j DROP
-A INPUT -s 193.112.88.67/32 -j DROP
-A INPUT -s 210.21.218.26/32 -j DROP
-A INPUT -s 223.75.249.2/32 -j DROP
-A INPUT -s 27.50.160.35/32 -j DROP
-A INPUT -s 49.233.63.234/32 -j DROP
-A INPUT -s 91.242.37.16/32 -j DROP
-A INPUT -s 103.87.167.253/32 -j DROP
-A INPUT -s 113.160.229.252/32 -j DROP
-A INPUT -s 123.201.235.83/32 -j DROP
-A INPUT -s 156.221.147.68/32 -j DROP
-A INPUT -s 171.236.213.49/32 -j DROP
-A INPUT -s 176.240.226.165/32 -j DROP
-A INPUT -s 202.90.133.210/32 -j DROP
-A INPUT -s 216.104.201.88/32 -j DROP
-A INPUT -s 175.172.174.191/32 -j DROP
-A INPUT -s 123.132.65.176/32 -j DROP
-A INPUT -s 103.145.13.43/32 -j DROP
-A INPUT -s 175.21.153.128/32 -j DROP
-A INPUT -s 178.63.34.189/32 -j DROP
-A INPUT -s 74.120.14.36/32 -j DROP
-A INPUT -s 34.240.212.8/32 -j DROP
-A INPUT -s 167.248.133.52/32 -j DROP
-A INPUT -s 162.142.125.52/32 -j DROP
-A INPUT -s 197.53.220.102/32 -j DROP
-A INPUT -s 134.209.87.169/32 -j DROP
-A INPUT -s 66.151.211.226/32 -j DROP
-A INPUT -s 61.40.0.0/16 -j DROP
-A INPUT -s 66.210.251.136/32 -j DROP
-A INPUT -s 202.215.160.75/32 -j DROP
-A INPUT -s 81.68.159.121/32 -j DROP
-A INPUT -s 178.129.246.3/32 -j DROP
-A INPUT -s 46.209.56.107/32 -j DROP
-A INPUT -s 156.197.215.223/32 -j DROP
-A INPUT -s 156.216.50.199/32 -j DROP
-A INPUT -s 192.241.224.104/32 -j DROP
-A INPUT -s 192.241.206.242/32 -j DROP
-A INPUT -s 216.245.193.22/32 -j DROP
-A INPUT -s 36.27.208.157/32 -j DROP
-A INPUT -s 81.68.106.157/32 -j DROP
-A INPUT -s 143.110.212.186/32 -j DROP
-A INPUT -s 54.39.22.135/32 -j DROP
-A INPUT -s 62.171.179.56/32 -j DROP
-A INPUT -s 93.113.111.100/32 -j DROP
-A INPUT -s 103.241.205.1/32 -j DROP
-A INPUT -s 128.199.122.54/32 -j DROP
-A INPUT -s 139.162.7.223/32 -j DROP
-A INPUT -s 139.59.58.116/32 -j DROP
-A INPUT -s 159.89.109.162/32 -j DROP
-A INPUT -s 201.143.63.92/32 -j DROP
-A INPUT -s 202.169.26.237/32 -j DROP
-A INPUT -s 206.189.93.93/32 -j DROP
-A INPUT -s 211.43.12.188/32 -j DROP
-A INPUT -s 123.172.67.122/32 -j DROP
-A INPUT -s 3.8.12.221/32 -j DROP
-A INPUT -s 34.237.4.205/32 -j DROP
-A INPUT -s 34.230.156.67/32 -j DROP
-A INPUT -s 3.142.196.207/32 -j DROP
-A INPUT -s 185.246.209.147/32 -j DROP
-A INPUT -s 18.231.94.162/32 -j DROP
-A INPUT -s 173.212.219.223/32 -j DROP
-A INPUT -s 139.224.198.47/32 -j DROP
-A INPUT -s 13.232.100.135/32 -j DROP
-A INPUT -s 125.64.94.221/32 -j DROP
-A INPUT -s 121.5.250.245/32 -j DROP
-A INPUT -s 114.70.235.43/32 -j DROP
-A INPUT -s 101.255.122.146/32 -j DROP
-A INPUT -s 5.188.210.227/32 -j DROP
-A INPUT -s 37.49.229.222/32 -j DROP
-A INPUT -s 34.237.4.205/32 -j DROP
-A INPUT -s 193.46.255.92/32 -j DROP
-A INPUT -s 165.227.84.219/32 -j DROP
-A INPUT -s 165.22.232.189/32 -j DROP
-A INPUT -s 5.8.10.202/32 -j DROP
-A INPUT -s 5.188.210.227/32 -j DROP
-A INPUT -s 222.77.181.28/32 -j DROP
-A INPUT -s 125.64.94.221/32 -j DROP
-A INPUT -s 108.168.131.251/32 -j DROP
-A INPUT -s 79.143.86.189/32 -j DROP
COMMIT

Nouveau scan sur Ngnix : system_api.php ( Drupal )

Publié le par
1

Dans les logs :

143.110.212.186 - - [20/Jan/2021:20:33:15 +0100] "GET /system_api.php HTTP/1.1" 404 490 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
143.110.212.186 - - [20/Jan/2021:20:33:15 +0100] "GET /system_api.php HTTP/1.1" 404 4079 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
143.110.212.186 - - [20/Jan/2021:20:33:16 +0100] "GET /system_api.php HTTP/1.1" 404 4078 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"

Je filtre donc l’IP :

# iptables -A INPUT -s 143.110.212.186 -j DROP 
# iptables-save > /etc/iptables/rules.v4

Propriété de l’adresse IP 143.110.212.186

Localisation États-Unis
Réputation 86 %
Anonymat Aucun détection
Usage Attribué
Source ARIN
Nom d’hote 143.110.212.186