Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Clemens Pfaffinger wrote/schrieb @ 07.07.2009 23:23:
> this is standard for me. I always change the port of the openSSH-server.
>
> My (current) solution is:
> Portsentry listens on port 22, while openSSH-server has another port.
> Every port scan attempt will result in a ban via iptables and every
> connection to port 22 will also result in a ban via iptables.
I decided to follow this and on the weekend iptables blocked about 70
IPs. I am afraid that after some time the box will be DOSed by the
crowded INPUT chain.
As I didn't find any mechanism in Lenny's portsentry package to
automatically de-block the IPs I would try following cron script:
- ---cut---
#!/bin/bash
/sbin/iptables-save | grep "^-A INPUT" | \
tail -n -20 | sed "s/^-A/-D/" | \
while read line; do
iptables $line;
done
/etc/init.d/portsentry restart
- ---cut---
Which will keep the last 20 entries and skip everything else before
restarting portsentry.
However, I would greatly prefer a "straight forward Debain way" to
smoothly delete the portsentry rules. Any ideas?
TIA
- --
bye maik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Signature of Maik Holtkamp
iEYEARECAAYFAkpa+okACgkQz3bq6aadmI/PIQCeIm1E8e7jMoUGfxOq63///ERP
9ZYAn1bWCL6y91Y19ITvqiwZXPV9nkoU
=V2tw
-----END PGP SIGNATURE-----
Reply to: