Re: iptables question

To: Napoleon <rri0187@attglobal.net>
Cc: debian-user@lists.debian.org
Subject: Re: iptables question
From: mouss <mouss@ml.netoyen.net>
Date: Thu, 01 Jan 2009 15:41:33 +0100
Message-id: <[🔎] 495CD61D.2040609@ml.netoyen.net>
Reply-to: mouss-nobulk@netoyen.net
In-reply-to: <[🔎] 495CC91E.4040007@attglobal.net>
References: <20081220041922.GH1965@turki.gavron.org> <[🔎] 495CC91E.4040007@attglobal.net>

Napoleon a écrit :
> I'll admit I'm still pretty green at a lot of this (lots of experience
> in computers, little in Linux) and don't understand everything.  But I'm
> trying to learn, so please go easy on me :-)
> 
> I've been having a problem with dictionary hacker attempts on my system
> (hundreds or even thousands a day), so I implemented the following rules:
> 
> # Kill ssh hackers - watch for more than 3 connection attempts in under
> # 15 minutes seconds and reject for 24 hours
> iptables -N SSH-EVIL
> iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
> DEBUG --log-prefix "evil SSH user: "
> iptables -A SSH-EVIL -j REJECT
> 
> iptables -N SSH
> iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
> 86400 -j REJECT
> iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
> 900 --hitcount 3 -j SSH-EVIL
> iptables -A SSH -p tcp --syn -m recent --name sshconn --set
> iptables -A SSH -p tcp --syn -j ACCEPT
> 
> And something similar for ftp.  These work well.  But I'm also getting
> people trying to break in via the POP interface (I'm using qpopper).  So
> I tried the following, which does not work:
> 
> iptables -N POP-EVIL
> iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level
> DEBUG --log-prefix "evil POP user: "
> iptables -A POP-EVIL -j REJECT
> 
> iptables -N POP
> iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP
> --rcheck --seconds 86400 -j REJECT
> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn
> --rcheck --seconds 900 --hitcount 5 -j POP-EVIL
> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
> iptables -A FTP -p tcp --syn -j ACCEPT
> 
> So my question is - what am I doing wrong in the POP interface, and how
> can I stop it here, also.
> 
> 

If the attacker uses a single connection to the POP3 server, then the
above won't help. it will only work if your POP3 disconnects after say 3
attempts.

Reply to:

References:
- iptables question
  - From: Napoleon <rri0187@attglobal.net>

Prev by Date: Re: Hmm...
Next by Date: [SOLVED: obexftp must die] Re: phone simens ME45 and obexftp via USB
Previous by thread: iptables question
Next by thread: Re: iptables question
Index(es):
- Date
- Thread