1 |
Dave Strydom wrote: |
2 |
> Which brings me back to my original idea, of only allowing your IP's to |
3 |
> connect to SSH on your servers, and just drop everything else, problem |
4 |
> solved. |
5 |
|
6 |
I do something along those lines. At my firewall/router I have a |
7 |
rule that blocks private IP (and MS's 169 IP address). Other |
8 |
addresses are permitted through but all are logged. This script |
9 |
is on my ssh server for further protection (see below). I used |
10 |
to do a type of blacklisting (still do) but I haven't had any |
11 |
new entries since I started using this. BTW, I had a large |
12 |
number of IP's from China, Korea, Japan, Singapore, Brazil and |
13 |
a few other Asian countries. So blocking IP's (networks, not |
14 |
individual IP's) became unmanageable. |
15 |
|
16 |
Here's what I do (it's been trimmed and I broke the lines with \): |
17 |
|
18 |
# Allow these site access to my machine |
19 |
# -state NEW |
20 |
|
21 |
permit() { |
22 |
# I want to log just the start of the conversation |
23 |
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG --syn \ |
24 |
--log-level info --log-prefix "iptables permit: " \ |
25 |
--log-ip-options |
26 |
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j ACCEPT |
27 |
} |
28 |
|
29 |
# Deny these sites access to my machine |
30 |
deny() { |
31 |
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j LOG \ |
32 |
--log-level alert --log-prefix "iptables deny: " \ |
33 |
--log-ip-options |
34 |
/sbin/iptables -A INPUT -s ${1} -p tcp --dport 22 -j DROP |
35 |
} |
36 |
|
37 |
# =[ Flush the tables completely ]============================================ |
38 |
/sbin/iptables -F |
39 |
|
40 |
# =[ Permit list ]============================================================ |
41 |
#permit 127.0.0.0/8 # Local stuff |
42 |
permit 10.0.0.0/8 # Local stuff |
43 |
permit 172.16.0.0/12 # Local stuff |
44 |
permit 192.168.0.0/16 # Local stuff |
45 |
|
46 |
# =[ Deny list ]============================================================== |
47 |
deny 0.0.0.0/0 # Deny everyone else |
48 |
|
49 |
|
50 |
exit 0 |
51 |
|
52 |
|
53 |
-- |
54 |
Linux Home Automation Neil Cherry ncherry@×××××××.net |
55 |
http://home.comcast.net/~ncherry/ (Text only) |
56 |
http://hcs.sourceforge.net/ (HCS II) |
57 |
http://linuxha.blogspot.com/ My HA Blog |
58 |
-- |
59 |
gentoo-security@g.o mailing list |