Re: iptables: identify host with DSL/Fritzbox

[Andrew Miehs <andrew@2sheds.de>]

On 20/01/2009, at 1:30 PM, Sebastian Rose wrote:

> Now the IPs are extracted from logfile lines matching regular
> expressions. Each regular expression assigns a certain amount of
> `points' to the IP. Once the IP's points reach a maximum (say 100
> points), an iptables rule is added.

You should be able to grep ?/var/log/auth.log? and count the number
of failed attempts.

> By now, I have no good way to _decrease_ the points again. All IPs are
> granted access again after two weeks (configurable), if no new points
> are added during that time span.
>
> It would be better, to have different tactics for several groups of
> IPs. AFAIK IPs like mine, dynamic ones, are reassigned all 24 hours in
> germany (Telekom).  Maybe a second thread (or process) could do a
> `whois' for all IPs tracked, and assign the IPs an appropriate
> expiration date.

Based on this info, I would just reset the count after 12 hours - write
a timestamp in your file 'lock file' when you create the entry.

> This leads to the question: is there a way to be certain, that an IP  
> is
> a dynamic one?

No - there isn't

> I noticed, that the `whois' for dynamic IPs has no `[Admin-C]'
> section. Could I depend on this fact?

No, and please don't. This is NOT what the whois servers are for.

> Maybe:
> Could I run a second shhd too? That one would use the same certificate
> and different port and config. It would allow just one special user  
> with
> a long and akward name and password.

It sounds like you are looking for something like 'knockd'

Something like this may be an option for you:
  http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki

Best regards,

Andrew