| 1 |
On Mon, Sep 07, 2009 at 03:27:56PM +0000, Penguin Lover James squawked: |
| 2 |
> Willie Wong <wwong <at> math.princeton.edu> writes: |
| 3 |
> |
| 4 |
> |
| 5 |
> > On my setup, I just block almost everything (except ssh) by default |
| 6 |
> > and maintain a white-list of IPs. |
| 7 |
> |
| 8 |
> |
| 9 |
> Can you share with us how you "white-list" IPs via your |
| 10 |
> iptables setup? That is your code you add to your startup |
| 11 |
> script and your iptables syntax on those white/black listed |
| 12 |
> IPs? |
| 13 |
|
| 14 |
Hum? the init script for iptables automatically saves and loads the |
| 15 |
policy, at least with SAVE_ON_STOP="yes" in /etc/conf.d/iptables, so I |
| 16 |
don't have any special configs in any start-up scripts. |
| 17 |
|
| 18 |
I built my tables using the commandline. A good quick intro guide is |
| 19 |
at http://www.gentoo.org/doc/en/home-router-howto.xml , section 5. |
| 20 |
|
| 21 |
The static part of the table looks something like this |
| 22 |
|
| 23 |
Chain INPUT (policy ACCEPT) |
| 24 |
target prot opt source destination |
| 25 |
ACCEPT all -- 192.168.0.0/16 anywhere |
| 26 |
ACCEPT all -- localhost anywhere |
| 27 |
general_port_block all -- anywhere anywhere |
| 28 |
ssh_blacklist all -- anywhere anywhere |
| 29 |
|
| 30 |
Chain general_port_block (1 references) |
| 31 |
target prot opt source destination |
| 32 |
DROP tcp -- anywhere anywhere tcp dpt:ftp |
| 33 |
DROP tcp -- anywhere anywhere tcp dpt:urd |
| 34 |
DROP tcp -- anywhere anywhere tcp dpt:smtp |
| 35 |
DROP tcp -- anywhere anywhere tcp dpt:http |
| 36 |
DROP tcp -- anywhere anywhere tcp dpt:http-alt |
| 37 |
DROP tcp -- anywhere anywhere tcp dpt:https |
| 38 |
DROP tcp -- anywhere anywhere tcp dpt:783 |
| 39 |
DROP tcp -- anywhere anywhere tcp dpt:ipp |
| 40 |
|
| 41 |
If you know iptables at all, you can probably figure out what I did to |
| 42 |
set it up(*). The 'general_port_block' chain is to just make things |
| 43 |
tidier. So you see, I set the default policy to allow connections. I |
| 44 |
whitelist first the LAN and localhost. Then I filter everything |
| 45 |
through the two chains. The general_port_block chain is static, and |
| 46 |
it blocks a bunch of services, some of which I run (but which I only |
| 47 |
want my family to access from the LAN), some I don't. |
| 48 |
|
| 49 |
As you can see, I don't block ssh, because I sometimes travel a bit. |
| 50 |
So instead, I have a separate chian that helps a bit in slowing down |
| 51 |
brute force attacks. |
| 52 |
|
| 53 |
The ssh_blacklist chain is dynamically generated via a perl script. |
| 54 |
The script monitors the ssh logs and blocks IPs for a certain period |
| 55 |
of time after either an attempt to log-in as root, or five failed |
| 56 |
log-in attempts. (I have locked myself out once or twice from a hotel |
| 57 |
when I accidentaly hit the capslock...) Basically you just add a |
| 58 |
target to be blocked to the iptables and use atd to remove it some |
| 59 |
time later. |
| 60 |
|
| 61 |
(*)If you don't know iptables, man iptables. |
| 62 |
|
| 63 |
> What do you use to maintain these white/black lists of IPs, |
| 64 |
> tools and philosophy.....? |
| 65 |
|
| 66 |
My philosophy is common sense. I white list those ips that I want to |
| 67 |
be able to access the services. I black list those I don't. For |
| 68 |
services like ssh, I pray that my efforts are secure enough. |
| 69 |
|
| 70 |
HTH, |
| 71 |
|
| 72 |
W |
| 73 |
-- |
| 74 |
I am so happy that Willetta is in my life. What would I do without her? |
| 75 |
Probably go insane. In fact, I am insanely in love with Willetta, so I am |
| 76 |
insane right now... but... |
| 77 |
Sortir en Pantoufles: up 1005 days, 9:25 |
Archives