[Firehol-support] Re: Integrating ipt_recent with FireHOL
Allen Smith
asmith at offermatica.com
Thu Nov 10 21:53:36 CET 2005
This kind of thing might be better handled with something like denyhosts.
http://denyhosts.sourceforge.net/
Instead of firewalling off the offending hosts which alerts them to switch the
attacking process to another zombie under their control, it adds the IP
address to deny.hosts so they keep trying and even if they successfully get a
username/password combo, ssh will keep giving them permission denied. As far
as they are concerned, they failed to bruteforce.
-Allen
On Thursday 10 November 2005 12:43 pm, Redeeman wrote:
> On Thu, 2005-11-10 at 02:34 +0000, Carlos Rodrigues wrote:
> > Harry Sufehmi wrote:
> > > Can anyone give any clue regarding this ? I'd be interested to utilize
> > > this as well. My server (and I believe many others) have been subjected
> > > to these brute-force attacks too.
> >
> > My point was more about integrating this into the "FireHOL language"
> > than being able to do this from within firehol.conf, which is already
> > possible using the "iptables" helper (which acts just like an alias for
> > "/sbin/iptables").
> >
> > So, you can add the following block of code to your firehol.conf,
> > somewhere before any "interface" or "router" blocks:
> >
> > #--8<---------------------
> >
> > # Block any address who tries to connect more than three times within
> > # 30 seconds. Unblock after it stops trying to connect for 30 seconds.
> >
> > iptables -N block_abusers
> > iptables -A block_abusers -p tcp --dport ssh -m recent --set --name SSH
> > iptables -A block_abusers -p tcp --dport ssh -m recent \
> > --update --seconds 30 --hitcount 4 --name SSH -j DROP
> >
> > # Filter traffic coming in to this machine
> > iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_abusers
> >
> > # Filter traffic passing through this machine
> > iptables -I FORWARD 1 -i eth0 -m state --state NEW -j block_abusers
> >
> > #--8<---------------------
> >
> wow, this is very cool.
>
> it would rock if this was integrated into firehol
>
> > The jump to chain "block_abusers" is added as the first rule in the
> > INPUT and FORWARD chains, to avoid being affected or interfering with
> > FireHOL-generated rules.
> >
> > You may want to REJECT abusers instead of DROPing them while testing.
> >
> > Carlos Rodrigues
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by:
> > Tame your development challenges with Apache's Geronimo App Server.
Download
> > it for free - -and be entered to win a 42" plasma tv or your very own
> > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> > _______________________________________________
> > Firehol-support mailing list
> > Firehol-support at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/firehol-support
> >
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
More information about the Firehol-support
mailing list