Results 1 to 15 of 15
  1. #1
    Join Date
    May 2011
    Posts
    64

    SSH command to remove a blocked ip in /etc/hosts.deny

    I am trying to figure out what the correct commnad would be in SSH to remove an ip from the /etc/hosts.deny file.

    This does not work.
    Code:
    echo 'ALL : 81.123.123.123 : allow' << /etc/hosts.deny
    Until now I have been manunally opening the /etc/hosts.deny file with pico and deleting the entry.

    Would be nice to have a simple command.

    Any ideas?

  2. #2
    Join Date
    Jan 2014
    Location
    Romania
    Posts
    297
    Remove the 3rd line:

    sed '3d' fileName.txt



    Remove the line containing the string "awk":

    sed '/awk/d' filename.txt



    Remove the last line:

    sed '$d' filename.txt

  3. #3
    Join Date
    May 2011
    Posts
    64
    Quote Originally Posted by vanmorrison View Post
    Remove the line containing the string "awk":
    sed '/awk/d' filename.txt
    so i should use this type of format?

    Code:
    sed '/255.255.255.255/d' /etc/hosts.deny
    When I run that it simply outputs the content of the /etc/hosts.deny file.

  4. #4
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    You will need to use the "-i" flag with sed in order to do an in-place modification.

    I would be careful with such changes though - you want to be sure that your match isn't going to find/remove anything else it shouldn't.
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  5. #5
    Join Date
    Jan 2014
    Location
    Romania
    Posts
    297
    that's right, sorry.

    my version of the command only outputs the file WITHOUT the string you need to remove, it does not make actual changes to the file.

    so use sed -i '/StringToRemove/d' filename.txt, but as Mike said, be careful as the changes are for good.

  6. #6
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    For someone asking such a question, I would say use nano (simple text editor, usually installed on most *nix systems)

    nano /etc/hosts.deny

    Remove the offending line with normal word processing movements, Ctrl+X to save. No piping or string manips. KISS method.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  7. #7
    Join Date
    May 2011
    Posts
    64
    Quote Originally Posted by vanmorrison View Post
    that's right, sorry.

    my version of the command only outputs the file WITHOUT the string you need to remove, it does not make actual changes to the file.

    so use sed -i '/StringToRemove/d' filename.txt, but as Mike said, be careful as the changes are for good.
    really weird. I tried using the following in my bash script:

    Code:
    sed -i '/$IP/ d' "$HOSTS_DENY"
    and

    Code:
    sed -i '/$IP/ d' $HOSTS_DENY
    and still does not remove the line from host.deny.

  8. #8
    Join Date
    Jan 2014
    Location
    Romania
    Posts
    297
    post the entire script

  9. #9
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Quote Originally Posted by vanmorrison View Post
    post the entire script
    An entire script to remove a line in a text file, I'm not sure they will hammer that out...

    What flavor of Linux are you using? Most have "nano" simple text editor.

    nano /etc/hosts.deny

    Remove the offending line (using arrows and delete key)

    Save with Ctrl+X

    Done.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  10. #10
    Join Date
    May 2011
    Posts
    64
    Quote Originally Posted by vanmorrison View Post
    post the entire script
    The bit of code in question start with the comment: #we need to check if its inside the /etc/hosts.deny file and remove it

    The script works perfect except for removing the ip address from /etc/hosts.deny. Every time I try the script it says its removed it but when i go back into /etc/hosts.deny the ip is still listed.

    Code:
    #!/bin/bash
    ########################################################
    # SIMPLE SLOWLORIS ATTACK PREVENTION
    # [email protected]
    # version 1.1 - 7/1/2014
    # version 1.2 - 6/2/2014 - added whitelisting ability
    #
    # the purpose of this script is to prevent slowloris attacks
    # slowloris is difficult to watch for so you need to have
    # apache mod_qos installed so that it logs any such attacks as mod_qos(045) to the error_log
    # then we parse error log for any entries containing the string mod_qos(045) and blacklist based on the total attacks
    #
    # This is the process used to blacklist the ip's who appear to attack the server
    # 1. parse the error_log and search for certain string like mod_qos(045)
    # 2. save a list of results to a temp file which holds the ip address and the total attempts
    # 3. parse the temp file and check how many attempts per ip
    # 4. if the attempt is => the BLOCK_LIMIT, we attempt to ban the ip
    # 5. before banning we have to check the white list to see if the ip is whitelisted
    # 6. if the ip is not on the whitelist, we block the ip and write an entry to the logs
    #
    # TIPS
    # a. you can monitor each ban during an attack by running $ tail -f /var/log/hsws-banned-ips
    # b. you can whitelist ips by adding them to the whitelist usually at /root/hsws-whitelist-ips 
    # c. if its a heavy attack then you can adjust the BLOCK_LIMIT variable
    ########################################################
    
    #define some variables used within the script
    SOURCE_LOG=/usr/local/apache/logs/error_log  #Change this path to the file you want to read
    OUTPUT_LOG=/root/hsws-log-slowloris-attacks #change this to the location you want to output the results to
    BANNED_LOG=/var/log/hsws-banned-ips #location of the log specifially for tailing bans
    SEARCH_PATTERN="mod_qos(045)" #This is the pattern you want to search within the log $SOURCE_LOG
    BLOCK_LIMIT=25 #the total number of attempts after which we block the ip
    HOSTS_DENY=/etc/hosts.deny #the hosts.deny file
    WHITELIST=/root/hsws-whitelist-ips #this is a list of ips that we want to make sure are not blacklisted
    
    ########################################################
    #scripting starts here - no need to change anything after here
    ########################################################
    
    #Check for existance of WHITELIST
    if [ ! -e "$WHITELIST" ] ; then 
      touch "$WHITELIST" 
      echo "SUCCESS! Whitelist has been created at $WHITELIST" >> $SOURCE_LOG
      echo "SUCCESS! Whitelist has been created at $WHITELIST"
    fi
    #if we cannot write to the whitelist then throw an error
    if [ ! -w "$WHITELIST" ] ; then 
      echo "[$(date)] [error] ERROR! CANNOT WRITE TO $WHITELIST" >> $SOURCE_LOG 
      echo "ERROR! Cannot write to $WHITELIST" 
      exit 1 
    fi
    
    #parse the log file at $SOURCE_LOG and save the log file to $OUTPUT_LOG
    cat $SOURCE_LOG | grep "$SEARCH_PATTERN"  | awk '{ print $8 }' | sort | uniq -c  | sort -n | sed 's/]\+$//' > "$OUTPUT_LOG"
    
    #test for existence of the $OUTPUT_LOG file
    if [ -f $OUTPUT_LOG ]
    then
    
        #if you are using asl firewall then use this block
        #awk '$1>'$BLOCK_LIMIT'{system("asl -bl "$2)}' < $OUTPUT_LOG
    	#echo "SUCCESS > parsing of $OUTPUT_LOG has been completed!"
    	#exit 1
    
        #check OUTPUT_LOG for any ip with more than  BLOCK_LIMIT
        #because we only need to block ip's with more than a certain number of attempts
    	cat $OUTPUT_LOG | while read ATTEMPTS IP
    	do
        	#if the ip address has exceeded the $BLOCK_LIMIT then we need to blacklist the $IP
    		if [ $ATTEMPTS -gt $BLOCK_LIMIT ]
    		then
    			#first we need to check to see if the ip appears in the whitelist file
    			if grep -q "$IP" $WHITELIST; then
       				echo "$IP is whitelisted"
       				echo "[$(date)] [warn] blacklisting SKIPPED for $IP as its whitelisted in $WHITELIST" >> $SOURCE_LOG
       				
       				#we need to check if its inside the /etc/hosts.deny file and remove it
       				if grep -q "$IP" $HOSTS_DENY; then
       				  sed -i '/$IP/ d' "$HOSTS_DENY"
     				  echo "$IP is whitelisted and was found in $HOSTS_DENY but now its been removed"
     				  echo "[$(date)] [warn] $IP was removed from $HOSTS_DENY as its whitelisted in $WHITELIST" >> $SOURCE_LOG	
       				fi
       				
     			else		
    		
    				if grep -Fq "$IP" $HOSTS_DENY
    				echo "$IP already exists in blacklist"
    				then
    				continue
    			else
        	        #if ip not exists in hosts.deny, then add the ip to the hosts.deny file
    				echo "ALL:$IP" >> $HOSTS_DENY
    				
    				#try to get the dns name
    				DNSNAME=$(host -tPTR $IP) || DNSNAME="1 1 1 1 dns not found"
    		        DNSNAME=$(echo $DNSNAME|cut -d" " -f5-)
    
                    echo "[$(date)] [warn] $IP ($DNSNAME) BLOCKED FOR $SEARCH_PATTERN - $ATTEMPTS Attempts recorded" >> $SOURCE_LOG
                    echo "[$(date)] [warn] $IP ($DNSNAME) BLOCKED FOR $SEARCH_PATTERN - $ATTEMPTS Attempts recorded" >> $BANNED_LOG
    				echo "$IP ADDED to blacklist"
    				fi
    			fi
    		fi
    	done
    
    	#message here that the process is completed
    	echo "[$(date)] [warn] PROCESSED $OUTPUT_LOG" >> $SOURCE_LOG
    	echo "SUCCESS > parsing of $OUTPUT_LOG has been completed!"
    	exit 1
    	
    else	
    echo "ERROR > $OUTPUT_LOG not found!"
    exit 1
    fi
    
    ########################################################
    #scripting ends here
    ########################################################

  11. #11
    Join Date
    Jan 2014
    Location
    Romania
    Posts
    297
    sed -i '/$IP/ d' "$HOSTS_DENY"

    did you try without the "" ?

  12. #12
    Join Date
    May 2011
    Posts
    64
    Quote Originally Posted by vanmorrison View Post
    sed -i '/$IP/ d' "$HOSTS_DENY"

    did you try without the "" ?
    Yes I tried with and without qoutes.

  13. #13
    Join Date
    Jan 2014
    Location
    Romania
    Posts
    297
    ok, I'm not very good at programming, but how did you define IP? how does it get the $IP?

  14. #14
    Join Date
    May 2011
    Posts
    64
    Quote Originally Posted by vanmorrison View Post
    ok, I'm not very good at programming, but how did you define IP? how does it get the $IP?
    It gets $IP from here:

    Code:
    cat $OUTPUT_LOG | while read ATTEMPTS IP
    Basically $OUTPUT_LO is a file with the following data in it..

    Code:
    150 255.255.255.255
    179 255.255.255.255
    Basically the cat parses the log and extracts the ip and puts it in IP variable.

    Everything I have read so far on forums, blogs etc is saying that this: sed -i '/$IP/ d' "$HOSTS_DENY" (or without ")should work.

    Will keep looking and if I fix it will update it here.

  15. #15
    Join Date
    Feb 2006
    Location
    Kepler 62f
    Posts
    14,877
    I despise managing a firewall in a CLI. For Linux, nothing beats a CSF GUI.
    || Need a good host?
    || See my Suggested Hosts List || Editorial: EIG/Site5/Arvixe/Hostgator Alternatives
    ||

Similar Threads

  1. ip blocked in csf/lfd how to remove from command line?
    By akasharya in forum Hosting Security and Technology
    Replies: 13
    Last Post: 05-28-2015, 04:32 AM
  2. Unable to SSH because my IP in /etc/hosts.deny
    By slrslr in forum Hosting Security and Technology
    Replies: 6
    Last Post: 06-26-2013, 01:01 AM
  3. sshd deny on /etc/hosts.deny
    By afree2 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 09-04-2009, 07:38 AM
  4. how can i check what ips are deny and remove them in iptables?
    By joelin in forum Hosting Security and Technology
    Replies: 2
    Last Post: 05-24-2008, 09:26 PM
  5. IP being blocked to my server, tried hosts.deny etc
    By lucid in forum Hosting Security and Technology
    Replies: 11
    Last Post: 04-01-2004, 12:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •