Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)

To: debian-security@lists.debian.org
Subject: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
From: Maik Holtkamp <holtkamp@medical-city.de>
Date: Mon, 13 Jul 2009 11:12:41 +0200
Message-id: <[🔎] 4A5AFA89.3000900@medical-city.de>
In-reply-to: <[🔎] d2a5e9e0907071423n7791108ch2c890456dc6a4188@mail.gmail.com>
References: <[🔎] 4A53AD2B.4080500@techsupport.lt> <[🔎] 4A53B1CF.509@abi007.info> <[🔎] f9971d420907071415m306cb47bhad3619ee288b20e4@mail.gmail.com> <d2a5e9e0907071422t2339ba66s7d40f18fe5e714@mail.gmail.com> <[🔎] d2a5e9e0907071423n7791108ch2c890456dc6a4188@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Clemens Pfaffinger wrote/schrieb @ 07.07.2009 23:23:

> this is standard for me. I always change the port of the openSSH-server.
> 
> My (current) solution is:
> Portsentry listens on port 22, while openSSH-server has another port.
> Every port scan attempt will result in a ban via iptables and every
> connection to port 22 will also result in a ban via iptables.

I decided to follow this and on the weekend iptables blocked about 70
IPs. I am afraid that after some time the box will be DOSed by the
crowded INPUT chain.

As I didn't find any mechanism in Lenny's portsentry package to
automatically de-block the IPs I would try following cron script:

- ---cut---
#!/bin/bash

/sbin/iptables-save | grep "^-A INPUT" | \
    tail -n -20 | sed "s/^-A/-D/" | \
    while read line; do
        iptables $line;
done

/etc/init.d/portsentry restart
- ---cut---

Which will keep the last 20 entries and skip everything else before
restarting portsentry.

However, I would greatly prefer a "straight forward Debain way" to
smoothly delete the portsentry rules. Any ideas?

TIA

- --
bye maik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Signature of Maik Holtkamp

iEYEARECAAYFAkpa+okACgkQz3bq6aadmI/PIQCeIm1E8e7jMoUGfxOq63///ERP
9ZYAn1bWCL6y91Y19ITvqiwZXPV9nkoU
=V2tw
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
  - From: Maik Holtkamp <holtkamp@medical-city.de>
- Re: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: "Ramunas / techsupport.lt" <ramunas@techsupport.lt>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Justus <justus@abi007.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Leandro Minatel <leandrominatel@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Clemens Pfaffinger <clpfaffinger@gmail.com>

Prev by Date: Re: [SECURITY] [DSA 1829-1] New sork-passwd-h3 packages fix cross-site scripting
Next by Date: Re: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
Previous by thread: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by thread: Re: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
Index(es):
- Date
- Thread