Find the answer to your Linux question:
Page 3 of 3 FirstFirst 1 2 3
Results 21 to 28 of 28
Sorry for the newb question, but this topic is the perfect answer to my needs, but I have a stupid problem, all of the IP Addresses in (FC2 box) are ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #21
    Just Joined!
    Join Date
    May 2005
    Posts
    2

    Sorry for the newb question, but this topic is the perfect answer to my needs, but I have a stupid problem, all of the IP Addresses in (FC2 box) are pre-pended with ::ffff: So, the $10 variable isn't right. I tired sed, but was not sucessful. Is there something I need to do in sshd_conf or in the exec statement?

    Thanks, and again sorry fo the stupid question.

  2. #22
    Just Joined!
    Join Date
    Jun 2005
    Posts
    2
    Hi, I have some questions to this kind of setup.

    I have swatch running and it's adding the IPs to iptables.

    1. How do I get rid of those added IPs after a while or do you just keep them forever?

    2. About iptables: Do I need to start this thing or are those tables used by the kernel anyway?

    Sorry, if this sounds dumb but I'm just not a guru Linux admin.

  3. #23
    Just Joined!
    Join Date
    Jul 2005
    Posts
    1

    Re: Try the ipt_recent module

    Quote Originally Posted by sparkix
    I was noticing ssh login attempts as well and came up with this solution using the recent module for iptables...

    modprobe ipt_recent ip_list_tot=200

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent --rcheck
    --hitcount 3 --seconds 60 --name SSH_PROBERS
    -j LOG --log-prefix "Adaptive-FW SSH Prober: "

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent
    --update --hitcount 3 --seconds 60 --name SSH_PROBERS
    -j DROP

    iptables -A INPUT -i $INTERNET -p tcp --sport $SSH_PORTS
    -d $IPADDR --dport 22 -m state --state NEW -m recent
    --set --name SSH_PROBERS -j ACCEPT
    SWEET. I started to download swatch but decided to try your way instead. I left out the -i, -sport and -d parameters but it still appears to work as wanted. Is there any reason I should not leave those out. I tested it by trying to SSH in to my box from my wife's computer with "bogus" and made sure it blocked her computer after several tries.....while that computer was blocked I tried to SSH in with a legit user from another computer and it let me in. So it appears to only block the bad ip....and just for a while (60 seconds if I'm understanding correctly how it works).

    I think this is the best solution. I just need to make sure I'm not creating a problem down the line by not having those other parameters in the rules. Thanks!!!

  4. $spacer_open
    $spacer_close
  5. #24
    Just Joined!
    Join Date
    Jun 2005
    Posts
    5

    Or even "ipset"

    With the ipset extensions to iptables you can added a single rule that says "block all IPs in the set called 'abc'", and you can then add or remove IP to that set without having to add more and more iptables rules. You can even arrange that the IP addresses are automatically removed from the set after a time interval you specifiy.

  6. #25
    Just Joined!
    Join Date
    Jul 2005
    Location
    Carbondale, IL
    Posts
    11
    Well you have always heard of portsentry.
    And you should disable root logins for ssh.
    There is a setting in sshd.conf for that.
    Get out your manuals and read up on it.

  7. #26
    Just Joined!
    Join Date
    Jun 2005
    Posts
    2

    Re: Or even "ipset"

    Quote Originally Posted by Wolfmans Brother
    With the ipset extensions to iptables you can added a single rule that says "block all IPs in the set called 'abc'", and you can then add or remove IP to that set without having to add more and more iptables rules. You can even arrange that the IP addresses are automatically removed from the set after a time interval you specifiy.
    I took a look at the IPSET stuff. Sounds really cool but as I understand it, it requires a kernel patch. That's something I can't do on my production machine. Is there a way to check if the current kernel might support IPSET as is?

  8. #27
    Just Joined!
    Join Date
    Jun 2005
    Posts
    5

    Re: Or even "ipset"

    Quote Originally Posted by Muso
    Quote Originally Posted by Wolfmans Brother
    With the ipset extensions to iptables you can added a single rule that says "block all IPs in the set called 'abc'", and you can then add or remove IP to that set without having to add more and more iptables rules. You can even arrange that the IP addresses are automatically removed from the set after a time interval you specifiy.
    I took a look at the IPSET stuff. Sounds really cool but as I understand it, it requires a kernel patch. That's something I can't do on my production machine. Is there a way to check if the current kernel might support IPSET as is?
    Sure: just try "modprobe ipt_set", and "ipset -N testset iphash". If both of these work, you're ready to rumble.

  9. #28
    Just Joined!
    Join Date
    Oct 2005
    Posts
    1

    Continuing with swatch info

    I wanted to be sure to cover root in my automatic blocking, as well as permablock the brats (just for fun). Maybe someone else will find this helpful. You first need to create a file (/etc/swatch_rejects below) which you can source from your firewall script somewhere, or separately, after iptables is reset for whatever reason (like a reboot). So I have this for my swatchrc (yes I changed the email address)

    #Add firewall rules for bad login attempts
    watchfor /Invalid user test|Invalid user guest|Invalid user admin|Invalid user web|Invalid user ftp|Invalid user oracle/
    mail=email@domain.com,subject="swatch match: $10 firewall rule added"
    exec "/sbin/iptables -A swatch_rejects -s $10 -j DROP"
    exec "echo '/sbin/iptables -A swatch_rejects -s $10 -j DROP' >> /etc/swatch_rejects"
    continue
    watchfor /User root from/
    mail=email@domain.com,subject="swatch match: $9 firewall rule added"
    exec "/sbin/iptables -A swatch_rejects -s $9 -j DROP"
    exec "echo '/sbin/iptables -A swatch_rejects -s $9 -j DROP' >> /etc/swatch_rejects"

    Luckily I'm the only one accessing this server via ssh, and only have one non-root non-common account configured to connect, which is there only for me to su.

Page 3 of 3 FirstFirst 1 2 3

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •