[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables: identify host with DSL/Fritzbox

Hi Andrew,


Andrew Miehs <andrew@2sheds.de> writes:
> On 20/01/2009, at 1:30 PM, Sebastian Rose wrote:
>
>> Now the IPs are extracted from logfile lines matching regular
>> expressions. Each regular expression assigns a certain amount of
>> `points' to the IP. Once the IP's points reach a maximum (say 100
>> points), an iptables rule is added.
>
> You should be able to grep ?/var/log/auth.log? and count the number
> of failed attempts.


That's what my little program does constantly (I use libpcre++ for
this). 


>> By now, I have no good way to _decrease_ the points again. All IPs are
>> granted access again after two weeks (configurable), if no new points
>> are added during that time span.
>>
>> It would be better, to have different tactics for several groups of
>> IPs. AFAIK IPs like mine, dynamic ones, are reassigned all 24 hours in
>> germany (Telekom).  Maybe a second thread (or process) could do a
>> `whois' for all IPs tracked, and assign the IPs an appropriate
>> expiration date.
>
> Based on this info, I would just reset the count after 12 hours - write
> a timestamp in your file 'lock file' when you create the entry.

Yes, something like this. But it's all in-memory. I have a std::map to
track IPs. Once they become locked ones, the pointer is copied to the
end of a std::queue. Once after a while, the program inspects the tip of
the queue for IPs to unlock again. IPs are structures that carry the
`points', `timeout' and the IP address itself.

12 hours is not very long. Anyway, if there is no way to distunguish
dynamic IPs from static ones, the value has to be quite low. I currently
use two weeks....


>> This leads to the question: is there a way to be certain, that an IP is
>> a dynamic one?
>
> No - there isn't

Ahhhrg - f... I was hoping there's a way....



>> I noticed, that the `whois' for dynamic IPs has no `[Admin-C]'
>> section. Could I depend on this fact?
>
> No, and please don't. This is NOT what the whois servers are for.

OK. So I'll have to gather those networks myself somehow.


>> Maybe:
>> Could I run a second shhd too? That one would use the same certificate
>> and different port and config. It would allow just one special user with
>> a long and akward name and password.
>
> It sounds like you are looking for something like 'knockd'
>
> Something like this may be an option for you:
>   http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki


Wow - this looks like a way to go! There is a Debian package even!
Great!!!

Thanks for the hint!!





Regards,

-- 
Sebastian Rose, EMMA STIL - mediendesign, Niemeyerstr.6, 30449 Hannover
Tel.:  +49 (0)511 - 36 58 472
Fax:   +49 (0)1805 - 233633 - 11044
mobil: +49 (0)173 - 83 93 417
Http:  www.emma-stil.de
Reply to: