[Firehol-support] Re: Integrating ipt_recent with FireHOL

Rick Marshall rjm at zenucom.com
Thu Nov 10 21:49:59 GMT 2005 

personally i prefer this approach for a couple of reasons:

1. am i correct? dropping their packets means they have to time out on 
the packets to realise something is wrong - i presume this causes some 
delays in the attacker's activity. reject would alert them immediately.
2. tired of having my log files filled with their crap.
3. looking at the logs, i'd say they use all the zombies at some time 
anyway.
4. i want a very minimal interference approach as it i have several 
users behind a firewall who need ssh to log into the servers. i don't 
want their activity misineterpreted and causing long delays - and 
hanging is less confusing than rejection.

thanks for code - i'm trialling it now and it seems to be just what i 
was after.

rick

Allen Smith wrote:

>This kind of thing might be better handled with something like denyhosts.
>
>http://denyhosts.sourceforge.net/
>
>Instead of firewalling off the offending hosts which alerts them to switch the 
>attacking process to another zombie under their control, it adds the IP 
>address to deny.hosts so they keep trying and even if they successfully get a 
>username/password combo, ssh will keep giving them permission denied. As far 
>as they are concerned, they failed to bruteforce.
>
>-Allen
>
>
>On Thursday 10 November 2005 12:43 pm, Redeeman wrote:
>  
>
>>On Thu, 2005-11-10 at 02:34 +0000, Carlos Rodrigues wrote:
>>    
>>
>>>Harry Sufehmi wrote:
>>>      
>>>
>>>>Can anyone give any clue regarding this ? I'd be interested to utilize 
>>>>this as well. My server (and I believe many others) have been subjected 
>>>>to these brute-force attacks too.
>>>>        
>>>>
>>>My point was more about integrating this into the "FireHOL language" 
>>>than being able to do this from within firehol.conf, which is already 
>>>possible using the "iptables" helper (which acts just like an alias for 
>>>"/sbin/iptables").
>>>
>>>So, you can add the following block of code to your firehol.conf, 
>>>somewhere before any "interface" or "router" blocks:
>>>
>>>#--8<---------------------
>>>
>>># Block any address who tries to connect more than three times within
>>># 30 seconds. Unblock after it stops trying to connect for 30 seconds.
>>>
>>>iptables -N block_abusers
>>>iptables -A block_abusers -p tcp --dport ssh -m recent --set --name SSH
>>>iptables -A block_abusers -p tcp --dport ssh -m recent \
>>>	 --update --seconds 30 --hitcount 4 --name SSH -j DROP
>>>
>>># Filter traffic coming in to this machine
>>>iptables -I INPUT 1 -i eth0 -m state --state NEW -j block_abusers
>>>
>>># Filter traffic passing through this machine
>>>iptables -I FORWARD 1 -i eth0 -m state --state NEW -j block_abusers
>>>
>>>#--8<---------------------
>>>
>>>      
>>>
>>wow, this is very cool.
>>
>>it would rock if this was integrated into firehol
>>
>>    
>>
>>>The jump to chain "block_abusers" is added as the first rule in the 
>>>INPUT and FORWARD chains, to avoid being affected or interfering with 
>>>FireHOL-generated rules.
>>>
>>>You may want to REJECT abusers instead of DROPing them while testing.
>>>
>>>Carlos Rodrigues
>>>
>>>
>>>-------------------------------------------------------
>>>SF.Net email is sponsored by:
>>>Tame your development challenges with Apache's Geronimo App Server. 
>>>      
>>>
>Download
>  
>
>>>it for free - -and be entered to win a 42" plasma tv or your very own
>>>Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
>>>_______________________________________________
>>>Firehol-support mailing list
>>>Firehol-support at lists.sourceforge.net
>>>https://lists.sourceforge.net/lists/listinfo/firehol-support
>>>
>>>      
>>>
>>
>>-------------------------------------------------------
>>SF.Net email is sponsored by:
>>Tame your development challenges with Apache's Geronimo App Server. Download
>>it for free - -and be entered to win a 42" plasma tv or your very own
>>Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
>>_______________________________________________
>>Firehol-support mailing list
>>Firehol-support at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/firehol-support
>>
>>    
>>
>
>
>-------------------------------------------------------
>SF.Net email is sponsored by:
>Tame your development challenges with Apache's Geronimo App Server. Download
>it for free - -and be entered to win a 42" plasma tv or your very own
>Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
>_______________________________________________
>Firehol-support mailing list
>Firehol-support at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/firehol-support
>
>!DSPAM:4373b35741991045092418!
>
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rjm.vcf
Type: text/x-vcard
Size: 155 bytes
Desc: not available
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20051111/71da36e4/attachment-0003.vcf>

More information about the Firehol-support mailing list