1 |
On Mon, Sep 07, 2009 at 03:27:56PM +0000, Penguin Lover James squawked: |
2 |
> Willie Wong <wwong <at> math.princeton.edu> writes: |
3 |
> |
4 |
> |
5 |
> > On my setup, I just block almost everything (except ssh) by default |
6 |
> > and maintain a white-list of IPs. |
7 |
> |
8 |
> |
9 |
> Can you share with us how you "white-list" IPs via your |
10 |
> iptables setup? That is your code you add to your startup |
11 |
> script and your iptables syntax on those white/black listed |
12 |
> IPs? |
13 |
|
14 |
Hum? the init script for iptables automatically saves and loads the |
15 |
policy, at least with SAVE_ON_STOP="yes" in /etc/conf.d/iptables, so I |
16 |
don't have any special configs in any start-up scripts. |
17 |
|
18 |
I built my tables using the commandline. A good quick intro guide is |
19 |
at http://www.gentoo.org/doc/en/home-router-howto.xml , section 5. |
20 |
|
21 |
The static part of the table looks something like this |
22 |
|
23 |
Chain INPUT (policy ACCEPT) |
24 |
target prot opt source destination |
25 |
ACCEPT all -- 192.168.0.0/16 anywhere |
26 |
ACCEPT all -- localhost anywhere |
27 |
general_port_block all -- anywhere anywhere |
28 |
ssh_blacklist all -- anywhere anywhere |
29 |
|
30 |
Chain general_port_block (1 references) |
31 |
target prot opt source destination |
32 |
DROP tcp -- anywhere anywhere tcp dpt:ftp |
33 |
DROP tcp -- anywhere anywhere tcp dpt:urd |
34 |
DROP tcp -- anywhere anywhere tcp dpt:smtp |
35 |
DROP tcp -- anywhere anywhere tcp dpt:http |
36 |
DROP tcp -- anywhere anywhere tcp dpt:http-alt |
37 |
DROP tcp -- anywhere anywhere tcp dpt:https |
38 |
DROP tcp -- anywhere anywhere tcp dpt:783 |
39 |
DROP tcp -- anywhere anywhere tcp dpt:ipp |
40 |
|
41 |
If you know iptables at all, you can probably figure out what I did to |
42 |
set it up(*). The 'general_port_block' chain is to just make things |
43 |
tidier. So you see, I set the default policy to allow connections. I |
44 |
whitelist first the LAN and localhost. Then I filter everything |
45 |
through the two chains. The general_port_block chain is static, and |
46 |
it blocks a bunch of services, some of which I run (but which I only |
47 |
want my family to access from the LAN), some I don't. |
48 |
|
49 |
As you can see, I don't block ssh, because I sometimes travel a bit. |
50 |
So instead, I have a separate chian that helps a bit in slowing down |
51 |
brute force attacks. |
52 |
|
53 |
The ssh_blacklist chain is dynamically generated via a perl script. |
54 |
The script monitors the ssh logs and blocks IPs for a certain period |
55 |
of time after either an attempt to log-in as root, or five failed |
56 |
log-in attempts. (I have locked myself out once or twice from a hotel |
57 |
when I accidentaly hit the capslock...) Basically you just add a |
58 |
target to be blocked to the iptables and use atd to remove it some |
59 |
time later. |
60 |
|
61 |
(*)If you don't know iptables, man iptables. |
62 |
|
63 |
> What do you use to maintain these white/black lists of IPs, |
64 |
> tools and philosophy.....? |
65 |
|
66 |
My philosophy is common sense. I white list those ips that I want to |
67 |
be able to access the services. I black list those I don't. For |
68 |
services like ssh, I pray that my efforts are secure enough. |
69 |
|
70 |
HTH, |
71 |
|
72 |
W |
73 |
-- |
74 |
I am so happy that Willetta is in my life. What would I do without her? |
75 |
Probably go insane. In fact, I am insanely in love with Willetta, so I am |
76 |
insane right now... but... |
77 |
Sortir en Pantoufles: up 1005 days, 9:25 |