Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Joerg Mertin <smurphy@...>
Subject: Re: [OT?] automatically firewalling off IPs
Date: Tue, 4 Oct 2005 08:15:41 +0200
Hi mate,

I attached a little script I'm using to do that in conjunction with shorewall.
To use it - configure shorewall to use the blacklist file on the related 
interface. I have added 2 exceptions - when failed logins are coming from 
10.0.2.* and 192.168.2.* subnets. Search for these and adapt to your network.

Starting it through cron every 2 minutes (which IMHO is enough).
*/2 * * * * root /etc/shorewall/hosts_reject.sh

the file /etc/cron.d/hosts_reject.
This script is not real-time - however - after some month of running - I have 
only 1 per month average trying to probe my ssh-logins - as it seems the 
drone-systems are blacklisted (Having 153 IP's in my blacklist right now).
You'll require the logtail program to trim the lodfiles ;)

BTW - the system will send you a mail-report when a new IP has been found 
probing your Network.

Drawback: if you're loging in from outside and miswrite your login-name - the 
system will most probably lock you out. MAke sure you log in from a different 
IP-Address.

Cheers

Joerg

On Tuesday 04 October 2005 01:26, Jeremy Brake wrote:
> Thanks for all the great input guys.
> Theres a lot of reading to do before I can decide ona the most suitable
> option for me, but I'll get through it all.
>
> While i'm getting my head around everything to impliment a permanent
> solution, what about this? (sorry, not great with iptables just yet..)
> Leave sshd listening on port 22, but firewall off everything except my
> trusted IP's (localhost, home, girlfriend, work subnet, internal subnet,
> flatmates server) .
> Add an IPTables rule to port forward $ambiguous_external_port through to
> port 22 on localhost (or if its safer, the  10.x.x.x IP assigned to the
> machine) , and log the instance.
> My thinking is that this would make it harder for someone to find my
> open ssh port, but leave me the convenience of not having to specify a
> port when I connect from my regular connections, dozens of times a day.
> Or is it just going to open up an IP spoofing exploit on port 22, and
> achieve practically nothing?
>
> Presumably this would eliminate the need for my original idea of
> search-and-destroy on the brute force scripts, but I'll probably look at
> implimenting something along those lines when I get my ftpd going (i'm
> using SCP for everything now, but theres a need to change that. ) and
> will still look at using the idea for my permanent SSH solution.
>
> I like the sound of of SEC, the IPTables' "recent" option, and port
> knocking. Because NZ IPs are assigned from the APNIC ranges, I'm not
> sure how well the GEOIP patch would work, but i'll look into it.
> (otherwise I would have blacklisted all of Asia already)
> I'm going to read through all the rules and scripts posted, once i've
> researched the available tools, and i'll go from there.
>
>
> Cheers
> Jeremy B
>
> Jeremy Brake wrote:
> > Hey all,
> >
> > I'm looking for an app/script which can monitor for failed ssh logins,
> > and block using IPTables for $time after $number of failed logins (an
> > exclusion list would be handy as well) so that I can put a quick stop
> > to these niggly brute-force ssh "attacks" I seem to be getting more
> > and more often.
> >
> > Anyone have any ideas?
> >
> > Thanks, Jeremy B

-- 
A witty saying proves nothing, but saying something pointless gets
people's attention.
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@...                (Home)|
| in Forchheim/Germany      :  smurphy@...                  (Alt1)|
| Stardust's LiNUX System   :                                          |
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A
Attachment:
hosts_reject.sh.gz (GNU Zip compressed data)
Replies:
Re: [OT?] automatically firewalling off IPs
-- Dave Strydom
References:
[OT?] automatically firewalling off IPs
-- Jeremy Brake
Re: [OT?] automatically firewalling off IPs
-- Jeremy Brake
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [OT?] automatically firewalling off IPs
Next by thread:
Re: [OT?] automatically firewalling off IPs
Previous by date:
Re: [OT?] automatically firewalling off IPs
Next by date:
Re: [OT?] automatically firewalling off IPs


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.