Ubuntu :: Automatic IP Blocking After 3 Failed Attempts?
Oct 9, 2010
I am looking for a way to automatically block an ip address and add it to /etc/hosts.deny when they have 3 consecutive password failures or try connecting to a name that doesn't exist more than like twice to help limit the brute force attacks I am experiencing.Is there an easy way to do this already implemented in Ubuntu?
Since yesterday Firestarter has been prompting me that it is blocking external connection attempts as shown in the picture below:I'm not even going to bother covering the IP addresses because I personally don't see why I should care but as you can see, there has been loads of them attempting to connect to ports 3674 - 3675. I ran nmap 127.0.0.1 and it came back as 631 being the only one open. So then I thought maybe lsof -i would mention much more but all it shown was:
@boris:~$ cat meh COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 1644 root 5u IPv6 14329 0t0 TCP localhost:ipp (LISTEN)
I have tried and tried to get Ubuntu up and running again after a fatal crash. Unknown reason. I have burned several copies of Karmic and Jaunty, but the only one that will come up is an old copy of Jaunty Live CD. Chksum have matched on the disks and the disk integrity (the last time came up with 1 error, but it did not say where. I have used SystemRescue64, Rescue-remix for Karmic, MHDD, Ultimate boot disk, and have reformated and partitioned my 640GB drive. One partition is formated to EXT3 and the other is unallocated. Both testdisk and memtest show positive. No disk will complete a permanent install. At least one error shuts it down even after fixing broken packages and sometimes there are 3or 4 errors msgs. Last night the error was something in Open Office, I don't recall more than that. Here are the errors I picked out of todays logfiles. They are prety much in order as posted in the various logs:
Why is it that the darn printer keeps breaking on this thing (Ubuntu) ??? It's either every damn update that keeps messing this up. One computer is bad enough, I can't imagine having to take care of even five with this thing always screwing something up. What the hell is going on??? Yeah I'm tired of this thing always messing up the printer. Please fix this thing, separate the browsers if you have to, do whatever it takes, but please STOP messing up the printers...and I don't even print that often.Oh yeah, when you first start the OS up, the drive seems to go on for a while longer now. I only put the regular updates and don't tweak anything.
I installed Lucid (clean install after several attempts at upgrading from Karmic failed), and I have an Intel 8xx video card. I was able to get Lucid installed by adding "xforcevesa" into the command line at startup. Now I would like to try changing my computer away from Vesa and seeing if I can try to get the i915 driver working.
That being said, I cannot figure out where to go to change my kernel boot configurations. Every tutorial I've found refers me to /boot/grub/menu.lst which I cannot find. Ever since I moved from Karmic to Lucid, I've regretted it as it seems like all the How-To documentation is no longer valid, everything has been changed and moved around.
I don't know why it is dumping me onto Vesa, or why my stupid driver was blacklisted; everything was working fine under Hardy, Jaunty, and Karmic. Why problems now? Does anyone know how I can get into my boot setings and replace "xforcevesa" with something that will make the intel driver work?
I googled this, to no avail. I've restarted cups, to no avail.This is a Networked Printer, but i have little doubt that can be ruled out as an issue.If i want to print an Image or Plain Text file, i get this error; if i print with OpenOffice, i do NOT get this error and it prints fine.I have also gotten a similar error, like "permission denied" or something, but i cannot recall exactly what it said, and cannot seem to recreate it at the moment.I have been getting this for quite some time now (months), but never found out why. Any ideas?
I am trying to get OpenLDAP to authenticate user logins, but running around in circles. Are there any logs produced by either client and/or server that would indicate possible reasons why it was unable to login as a user?Below is an explanation, any ideas would be appreciated, as I think everything is setup as per the various articles on using LDAP.
I have a CentOS 5.5 OpenLDAP server, and several others, some host services, some are file shares (samba).So far I have been able to successfully configure OpenLDAP to carry out all the ldap* commands from both the local server and from any of the remote servers, either via non-ssl or ssl connections. However, as soon as I try connecting any services up to it, it doesn't play ball.Back to basics, having cleared off all previous attempts at this from all machines, I have gone through the following:
Installed OpenLDAP server/client on host (plus nss_ldap). Configured /etc/openldap/slapd.conf (see below) Configured /etc/openldap/ldap.conf (see below)
I am getting some error when i compile cross compile "dbus-1.2.20". error Code: checking for XML_ParserCreate_MM in -lexpat... no configure: error: Could not find expat.h, check config.log for failed attempts so i downloaded te expat library sources i cross compiled. But again i am getting same error. I think i have to add "-lexpat" in LDFLAG. But i dont know how to do that.
A few minutes ago I was using google chrome when suddenly the scroll-lock indicator on my keyboard turned on... I pressed the scroll-lock key, but nothing happened, the light remained. I opened a terminal and ran "top" to find what processes were running when I was automatically logged out. I logged back and checked the logs and found the following entries in my auth.log:
Code: CRON: pam_unix(cron:session): session opened for user root by (uid=0) CRON: pam_unix(cron:session): session closed for user root
Installing Ubuntu Studio failed automatic configuring the network so I need configure it manually. The computer ask for a DOMAIN NAME but I never had configured any Domain. Actualy I had another ubuntu computer. I know the mane of that computer but how can I get the DOMAIN NAME from the other computer?
I have a device that is working on modbus protocol andI have written a small program(with block TCP read method ) to read its registers via modbus protocol.my program is working very well but except those times that I unplug the Ethernet cable or turning off the modbus gateway during programs work.at this time my program stops on recv system call (if it reach this system call exacly when I unplug Ethernet cable or turning off the modbus gateway during programs work).I changed my source to work in nonblock TCP method, at this time with the same situation my program does not stop/block on recv system call but after pluging back the Ethernet cable or resuming the connectivity situation back it reads data incorrectly .this is my code:Quote:
How do I limit the max login attempts in the sshd_config file? I found a way to do it on Google some time back but I can't find it now. I have Denyhost already, but I really wanna do the "MAx Login Attempts" what ever it was that I was able to do in the config file.
My root filesystem recently filled up. I finally established why - that my /media directory had filled up due to the USB-attached device having been unmounted for whatever reason, and SimpleBackup tried backing up without the mount in place - thereby filling up the filesystem.
I discovered that the root directory was full when the machine tried to get updates, and couldn't. So, I went into /media and tried to delete the backup directory and file(s) that were in that directory, but it tells me that permission is denied. So I try to SUDO the same command, and it tells me 3 times in a row, "Sorry, try again", followed by "sudo: 3 incorrect password attempts".
I'm running the firestarter firewall and its been showing the odd ssh attempt quite often. e.g. I've had 4 attempts today, 3 in the last 40mins. I realize that this may be nothing to serious but it's got me curious, aside from having a secure password (which I have) is there anything that else that I can do to ensure that my system is as secure as possible from ssh? I do use ssh within my home network so I don't want to disable it completely.
I have an SSH server on my laptop, and I'm using the default configuration file, but I added "AllowUsers <myUserName>". I get lots of login attempts like the ones below in my /var/log/auth.log.From Google, I find that pam_winbind allows some kind of Windows authentication. This leaves me with 2 questions. What does winbind do when I have not configured any Windows/Samba accounts? How can I turn it off?
Code: Oct 23 20:01:49 muon sshd: User root from 184.108.40.206 not allowed because not listed in AllowUsers
So I run a dual-boot win7/ubuntu system and out of nowhere I am now unable to boot into ubuntu. I get up to the screen where I select which OS to boot into, then I select ubuntu, get the wubldr messages and then my computer instantly resets back to the original load screen.
This comes paired with a bad boot into my windows partition so I feel like they may be related. I did a system repair and now windows works though. I'm defraging my harddrive now just to see if it works.
I am trying to write a little port knocking daemon that needs to see every failed connection attempt on every port on the system. The primary way to do this (as the Wikipedia page points out) is to monitor the firewall log file. I am using UFW and reading its output in /var/log/kern.log. Typically, when UFW blocks something, it prints a little line like this:
But it seems that whenever UFW experiences a significant "load" (my client sends eight packets over the span of about 25 seconds, not too significant if you ask me), it just kind of "gives up" after 10 or so attempts. Log messages stop appearing in kern.log. I know the packets are coming; wireshark confirms this.
It seems to me that a buffer of some sort is filling up, because if I give the system a breather and try sending my sequence again in, say, three minutes, it prints log messages for 10-12 straight attempts before giving up again. I've tried sending packets at longer intervals and reading from other logs like /var/log/messages, but none of this has helped. Does anyone have any idea why UFW would fail to log all blocked connection attempts?
I noticed with the recent version of Ubuntu, 10.10 that the drop down menus, when selected the sub menus doi not appear straight away. I have to repeatedly go up and down the menu until they appear. They often open a blank box and sometime once selected leave the menu on the screen. This happens on all my machines.
I used to burn CDs/DVDs with Brasero on my old Dell PC running various Ubuntu distros, till it started producing faulty discs. There were other problems with the old machine, so I started burning discs on my Toshiba laptop (Ubuntu 10.04) using Brasero - no problems at all. Now I've got a new Dell (Ubuntu 11.04) and, strangely, when I tried to burn some CDs with Brasero, it took 5 attempts to get 2 good discs - not a good success rate. Tried again with Open CD/DVD Creator on the Dell - no problem. 100% success. So is it Brasero? Is it Dell? Is it newer Ubuntus? The discs haven't changed, they're Verbatim.
The problem is that Ubuntu 10.04 as delivered is not compatible with the Nvidia driver installed with 10.04. This problem is widely reported, as is a fix for it. The usual form of the fix is as follows:
To fix the above error message use the following procedure 1) Download Newest Nvidia drivers from here 2) Open module blacklist as admin gksudo gedit /etc/modprobe.d/blacklist.conf
I am running a ubuntu server 10.10 with SSH, and OpenVPN. I use it mainly for the VPN, but I have seen log in attempts such as:
Mar 22 14:52:53 UbuntuSvr sshd: Invalid user support from 220.127.116.11 Mar 22 14:52:55 UbuntuSvr sshd: Invalid user student from 18.104.22.168 Mar 22 14:52:57 UbuntuSvr sshd: Invalid user transfer from 22.214.171.124 Mar 22 14:52:59 UbuntuSvr sshd: Invalid user user from 126.96.36.199
Is it possible to make it so when some one has tried logging in 5 times with an invalid user/pass that the ip is banned for 10 minutes? I have password auth set to no and am using keys.
Title is pretty much the best description i can give. I have a second computer that i'm trying to put ubuntu on except i just can't boot into it. I've tried multiple ways be it from usb, from cd/dvd, installing it through wubi and reinstalling... Every single time a get some error due to speech dispatcher not being enabled and that is causing it to get stuck at the splash screen...