Temporarily Disable IP [ANOTHER SOLUTION] - Debian

This is a discussion on Temporarily Disable IP [ANOTHER SOLUTION] - Debian ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Another solution besides using DenyHosts is to use the following set of iptables commands. (Courtesy: A friend who constantly monitors this list but wants to remain anonymous) ## create denylog chain iptables -N denylog ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Temporarily Disable IP [ANOTHER SOLUTION]

  1. Temporarily Disable IP [ANOTHER SOLUTION]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Another solution besides using DenyHosts is to use the following set of
    iptables commands. (Courtesy: A friend who constantly monitors this list
    but wants to remain anonymous)

    ## create denylog chain
    iptables -N denylog
    iptables -A denylog -j LOG
    iptables -A denylog -j DROP

    ## SSH Bruteforce
    iptables -N SSH_WHITELIST
    iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH
    - - -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
    - - --name SSH
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
    - - --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog



    Creates a whilelist of one or more networks. All others are subject to
    inspection. More than 4 hits within 60 seconds are denied. In case of 60
    seconds without a hit, this rule is automatically cleared again. That's
    the magic of the "recent"-module of iptables. It works for me - and it's
    very useful!

    Thanks,

    rrs
    - --
    Ritesh Raj Sarraf
    RESEARCHUT -- http://www.researchut.com
    Gnupg Key ID: 04F130BC
    "Stealing logic from one person is plagiarism, stealing from many is
    research."
    "Necessity is the mother of invention."
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDSF064Rhi6gTxMLwRApz8AJ9SLK43nn9vHsre6MuzHO tvVQFIRwCgkBqY
    iju1XQJcZW5seUVyJCZPgjw=
    =U0CL
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: Temporarily Disable IP [ANOTHER SOLUTION]

    Interested in trying this, but can't seem to get it to work. I see
    packets hitting the --set --name SSH rule, but the drop following it
    never sees any packets. (using iptables -L -n -v). Seems like it should
    work, looks like I've got all the modules loaded that I need...

    phil

    Ritesh Raj Sarraf said:
    > Another solution besides using DenyHosts is to use the following set of
    > iptables commands. (Courtesy: A friend who constantly monitors this list
    > but wants to remain anonymous)
    >
    > ## create denylog chain
    > iptables -N denylog
    > iptables -A denylog -j LOG
    > iptables -A denylog -j DROP
    >
    > ## SSH Bruteforce
    > iptables -N SSH_WHITELIST
    > iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH
    > - -j ACCEPT
    > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
    > - --name SSH
    > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
    > iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
    > - --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog
    >
    >
    >
    > Creates a whilelist of one or more networks. All others are subject to
    > inspection. More than 4 hits within 60 seconds are denied. In case of 60
    > seconds without a hit, this rule is automatically cleared again. That's
    > the magic of the "recent"-module of iptables. It works for me - and it's
    > very useful!
    >
    > Thanks,
    >
    > rrs


    --

    phil


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)

    iD8DBQFDSXPsGbd/rBLcaFwRAmoEAJ9s0zKyFw9ETxZ4XrOZtsbFh2LGiQCghlwH
    iH7TDsgLrstVVYNajTHRwxo=
    =qO8C
    -----END PGP SIGNATURE-----


  3. Re: Temporarily Disable IP [ANOTHER SOLUTION]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    What's your iptables version ?


    Phil Dyer on Monday 10 Oct 2005 01:17 wrote:

    > Interested in trying this, but can't seem to get it to work. I see
    > packets hitting the --set --name SSH rule, but the drop following it
    > never sees any packets. (using iptables -L -n -v). Seems like it should
    > work, looks like I've got all the modules loaded that I need...
    >
    > phil
    >
    > Ritesh Raj Sarraf said:
    >> Another solution besides using DenyHosts is to use the following set of
    >> iptables commands. (Courtesy: A friend who constantly monitors this list
    >> but wants to remain anonymous)
    >>
    >> ## create denylog chain
    >> iptables -N denylog
    >> iptables -A denylog -j LOG
    >> iptables -A denylog -j DROP
    >>
    >> ## SSH Bruteforce
    >> iptables -N SSH_WHITELIST
    >> iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH
    >> - -j ACCEPT
    >> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
    >> - --name SSH
    >> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
    >> iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
    >> - --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog
    >>
    >>
    >>
    >> Creates a whilelist of one or more networks. All others are subject to
    >> inspection. More than 4 hits within 60 seconds are denied. In case of 60
    >> seconds without a hit, this rule is automatically cleared again. That's
    >> the magic of the "recent"-module of iptables. It works for me - and it's
    >> very useful!
    >>
    >> Thanks,
    >>
    >> rrs

    >
    > --
    >
    > phil


    - --
    Ritesh Raj Sarraf
    RESEARCHUT -- http://www.researchut.com
    Gnupg Key ID: 04F130BC
    "Stealing logic from one person is plagiarism, stealing from many is
    research."
    "Necessity is the mother of invention."
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDSaps4Rhi6gTxMLwRAjPCAJ4m0sraFUimQuA+INibfk I5Vgj4AACdGV5c
    GbL2Om2VKdCf+8WYOhIdgtY=
    =LpSU
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  4. Re: Temporarily Disable IP [ANOTHER SOLUTION]

    Ritesh Raj Sarraf said:
    > What's your iptables version ?


    sarge 1.2.11-10.



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)

    iD8DBQFDSb9+Gbd/rBLcaFwRAoOiAJ0e2rH21r7JX2lazmXQzbDkuVJXnwCfdJT4
    t26O6/GAOOEC5GQRnejA9bw=
    =H82b
    -----END PGP SIGNATURE-----


  5. Re: Temporarily Disable IP [ANOTHER SOLUTION]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Phil Dyer on Monday 10 Oct 2005 06:40 wrote:

    > Ritesh Raj Sarraf said:
    >> What's your iptables version ?

    >
    > sarge 1.2.11-10.


    Then it has to work.
    I'm using the same and am very happy. The attacks have lowered down by 90%
    because all were from automated scripts.

    Please re-check the commands you're using.

    ## create denylog chain
    iptables -N denylog
    iptables -A denylog -j LOG
    iptables -A denylog -j DROP

    ## SSH Bruteforce
    iptables -N SSH_WHITELIST
    iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH
    - -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
    - --name SSH
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
    - --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog



    Creates a whilelist of one or more networks. All others are subject to
    inspection. More than 4 hits within 60 seconds are denied. In case of 60
    seconds without a hit, this rule is automatically cleared again. That's
    the magic of the "recent"-module of iptables. It works for me - and it's
    very useful!

    HTH,

    rrs
    - --
    Ritesh Raj Sarraf
    RESEARCHUT -- http://www.researchut.com
    Gnupg Key ID: 04F130BC
    "Stealing logic from one person is plagiarism, stealing from many is
    research."
    "Necessity is the mother of invention."
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDSr4q4Rhi6gTxMLwRAg+cAJ0a1K+0EtXzkFmfIeJUBp AAmV2BfACgkDnA
    2c94mlHWTogPT/8hpUBKsVA=
    =jqvm
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  6. Re: Temporarily Disable IP [ANOTHER SOLUTION]

    Ritesh Raj Sarraf said:
    > Phil Dyer on Monday 10 Oct 2005 06:40 wrote:
    >
    >>> Ritesh Raj Sarraf said:
    >>>> What's your iptables version ?
    >>>
    >>> sarge 1.2.11-10.

    >
    > Then it has to work.


    it does. If I could count to 4, I'd be dangerous.


    --

    phil


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)

    iD8DBQFDSw//Gbd/rBLcaFwRAtCcAKC0L83T36SGdRDbZVqP2wyAbUwqNACfUL01
    6YCtTYGJI95DE7cfgfYvplM=
    =ISTO
    -----END PGP SIGNATURE-----


  7. Re: Temporarily Disable IP [ANOTHER SOLUTION]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Phil Dyer on Tuesday 11 Oct 2005 06:36 wrote:

    > it does. If I could count to 4, I'd be dangerous.


    If you count to 4 _within_ sixty seconds.
    I don't think a genuine user would login 4 times withing sixty seconds.

    rrs
    - --
    Ritesh Raj Sarraf
    RESEARCHUT -- http://www.researchut.com
    Gnupg Key ID: 04F130BC
    "Stealing logic from one person is plagiarism, stealing from many is
    research."
    "Necessity is the mother of invention."
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iD8DBQFDTAPX4Rhi6gTxMLwRAr2oAJ9c9KXhsrN/itD6xZlxGXej6qTrSACffvpk
    T1twJRMQDoS7LUx6dB2tayE=
    =WWHO
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  8. Re: Temporarily Disable IP [ANOTHER SOLUTION]

    Ritesh Raj Sarraf said:
    > Phil Dyer on Tuesday 11 Oct 2005 06:36 wrote:
    >
    >>> it does. If I could count to 4, I'd be dangerous.

    >
    > If you count to 4 _within_ sixty seconds.
    > I don't think a genuine user would login 4 times withing sixty seconds.


    what I was doing to test was ssh'ing from another box that i manage. ssh
    gives you three login attempts before giving up. I was counting that as
    3 attempts. Of course, all three of those are in the same tcp session,
    so there's only one SYN packet there. duh. anyway, seems to work as
    advertised. thanks.

    --

    phil


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)

    iD8DBQFDTDcuGbd/rBLcaFwRAveSAKCk/eumcwinuYxycxTK7QBFf4DZvwCeJEE8
    nZhjCCKbehH7Az51DZ53kz8=
    =SfI7
    -----END PGP SIGNATURE-----


+ Reply to Thread