Re: iptables question
On Thu, Jan 1, 2009 at 5:44 PM, David Schmidt <davewood@gmx.at> wrote:
> Here is how I implemented it, coincidentially today :)
>
>
> # Allow already established traffic
> $IPTABLES -A INPUT -p TCP -m state --state ESTABLISHED -j ACCEPT
>
> # No more than 2 connection attempts per 2
> # minutes to prevent brute force attacks
> # log blocked attempts to /var/log/kern.log
> $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
> NEW -m recent --name blacklist --set
> $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
> NEW -m recent --name blacklist --rcheck \
> --seconds 120 --hitcount 3 -j LOG --log-level 5
> --log-prefix "max con attempts exceeded: "
> $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
> NEW -m recent --name blacklist --update \
> --seconds 120 --hitcount 3 -j DROP
>
> # only allow connections to localhost on $SSH_PORT if IP has
> # knocked on $SSH_KNOCK_PORT within the last 60 seconds
> $IPTABLES -A INPUT -p TCP --dport $SSH_KNOCK_PORT -m state
> --state NEW -m recent \
> --name knocklist --set
> $IPTABLES -A INPUT -p TCP --dport $SSH_PORT -m state --state
> NEW -m recent \
> --name knocklist --rcheck --seconds 60 -j ACCEPT
>
>
> the latter one can also be achieved using the debian package "knockd"
>
>
>
> On Thu, Jan 1, 2009 at 4:51 PM, Justin Piszcz <jpiszcz@lucidpixels.com> wrote:
>>
>>
>> On Thu, 1 Jan 2009, Napoleon wrote:
>>
>>> I'll admit I'm still pretty green at a lot of this (lots of experience in
>>> computers, little in Linux) and don't understand everything. But I'm trying
>>> to learn, so please go easy on me :-)
>>>
>>> I've been having a problem with dictionary hacker attempts on my system
>>> (hundreds or even thousands a day), so I implemented the following rules:
>>>
>>> # Kill ssh hackers - watch for more than 3 connection attempts in under
>>> # 15 minutes seconds and reject for 24 hours
>>> iptables -N SSH-EVIL
>>> iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level
>>> DEBUG --log-prefix "evil SSH user: "
>>> iptables -A SSH-EVIL -j REJECT
>>>
>>> iptables -N SSH
>>> iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j
>>> ACCEPT
>>> iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds
>>> 86400 -j REJECT
>>> iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds
>>> 900 --hitcount 3 -j SSH-EVIL
>>> iptables -A SSH -p tcp --syn -m recent --name sshconn --set
>>> iptables -A SSH -p tcp --syn -j ACCEPT
>>>
>>> And something similar for ftp. These work well. But I'm also getting
>>> people trying to break in via the POP interface (I'm using qpopper). So I
>>> tried the following, which does not work:
>>>
>>> iptables -N POP-EVIL
>>> iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level
>>> DEBUG --log-prefix "evil POP user: "
>>> iptables -A POP-EVIL -j REJECT
>>>
>>> iptables -N POP
>>> iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT
>>> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP
>>> --rcheck --seconds 86400 -j REJECT
>>> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn
>>> --rcheck --seconds 900 --hitcount 5 -j POP-EVIL
>>> iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
>>> iptables -A FTP -p tcp --syn -j ACCEPT
>>>
>>> So my question is - what am I doing wrong in the POP interface, and how
>>> can I stop it here, also.
>>>
>>>
>>> --
>>> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org with a
>>> subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>>>
>>
>> Solution: apt-get install fail2ban (read up on the docs, it can drop IPs
>> based on attempts etc)
>>
>> Justin.
>>
Sorry for top posting, gmail does this by default
Reply to: