Gentoo Archives: gentoo-security

From: Joerg Mertin <smurphy@××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Tue, 04 Oct 2005 06:19:58
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by Jeremy Brake
Hi mate,

I attached a little script I'm using to do that in conjunction with shorewall.
To use it - configure shorewall to use the blacklist file on the related 
interface. I have added 2 exceptions - when failed logins are coming from 
10.0.2.* and 192.168.2.* subnets. Search for these and adapt to your network.

Starting it through cron every 2 minutes (which IMHO is enough).
*/2 * * * * root /etc/shorewall/

the file /etc/cron.d/hosts_reject.
This script is not real-time - however - after some month of running - I have 
only 1 per month average trying to probe my ssh-logins - as it seems the 
drone-systems are blacklisted (Having 153 IP's in my blacklist right now).
You'll require the logtail program to trim the lodfiles ;)

BTW - the system will send you a mail-report when a new IP has been found 
probing your Network.

Drawback: if you're loging in from outside and miswrite your login-name - the 
system will most probably lock you out. MAke sure you log in from a different 



On Tuesday 04 October 2005 01:26, Jeremy Brake wrote:
> Thanks for all the great input guys. > Theres a lot of reading to do before I can decide ona the most suitable > option for me, but I'll get through it all. > > While i'm getting my head around everything to impliment a permanent > solution, what about this? (sorry, not great with iptables just yet..) > Leave sshd listening on port 22, but firewall off everything except my > trusted IP's (localhost, home, girlfriend, work subnet, internal subnet, > flatmates server) . > Add an IPTables rule to port forward $ambiguous_external_port through to > port 22 on localhost (or if its safer, the 10.x.x.x IP assigned to the > machine) , and log the instance. > My thinking is that this would make it harder for someone to find my > open ssh port, but leave me the convenience of not having to specify a > port when I connect from my regular connections, dozens of times a day. > Or is it just going to open up an IP spoofing exploit on port 22, and > achieve practically nothing? > > Presumably this would eliminate the need for my original idea of > search-and-destroy on the brute force scripts, but I'll probably look at > implimenting something along those lines when I get my ftpd going (i'm > using SCP for everything now, but theres a need to change that. ) and > will still look at using the idea for my permanent SSH solution. > > I like the sound of of SEC, the IPTables' "recent" option, and port > knocking. Because NZ IPs are assigned from the APNIC ranges, I'm not > sure how well the GEOIP patch would work, but i'll look into it. > (otherwise I would have blacklisted all of Asia already) > I'm going to read through all the rules and scripts posted, once i've > researched the available tools, and i'll go from there. > > > Cheers > Jeremy B > > Jeremy Brake wrote: > > Hey all, > > > > I'm looking for an app/script which can monitor for failed ssh logins, > > and block using IPTables for $time after $number of failed logins (an > > exclusion list would be handy as well) so that I can put a quick stop > > to these niggly brute-force ssh "attacks" I seem to be getting more > > and more often. > > > > Anyone have any ideas? > > > > Thanks, Jeremy B
-- A witty saying proves nothing, but saying something pointless gets people's attention. ------------------------------------------------------------------------ | Joerg Mertin : smurphy@××××××.org (Home)| | in Forchheim/Germany : smurphy@×××××.de (Alt1)| | Stardust's LiNUX System : | | Web: | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A


File name MIME type application/x-gzip


Subject Author
Re: [gentoo-security] [OT?] automatically firewalling off IPs Dave Strydom <strydom.dave@×××××.com>