[Linux] Firewall Rule or App?

Tue, 12 Jun 2007 11:45:44 -0400

OK this app does exactly what it's supposed to do and it's pretty slick.

I have 2 issues:

1. I already had ALL:ALL in hosts.deny because I use a hosts.allow file =
specifying those allowed to login.
I guess I didn't like seeing all those entries in messages.

This really won't help me right?

2. I also want to do this for vsftpd entries when people try to brute =
force attack ftp, can this be done with this app as well?

>From an outside idea, can this also be done for lets say people who =
email you and you get an invalid user email, but that same IP sends you =
multiple invalids, so you know it's spam?

-----Original Message-----
From: linux-admin@flux.org [mailto:linux-admin@flux.org] On Behalf Of =
Nicholas Saraniti
Sent: Friday, May 18, 2007 9:12 AM
To: linux@flux.org
Subject: Re: [Linux] Firewall Rule or App?

yes, it's called deny hosts
*deny**hosts*.sourceforge.net

Joey wrote:
>
> I remember a while back ago someone had a small script which would
> detect someone trying to hack into a server and block them for a set
> period of time automatically.
>
> Does anyone have reference to this or the script?
>
> Maybe we can do this via IP tables, but we just don=E2=80=99t have the =
experience.
>
> =20
>
> Currently when we physically see this type of activity:
>
> May 18 08:33:53 venus vsftpd(pam_unix)[29390]: authentication failure;
> logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D rhost=3D60.13.190.54
>
> May 18 08:33:54 venus vsftpd(pam_unix)[29393]: check pass; user =
unknown
>
> May 18 08:33:54 venus vsftpd(pam_unix)[29393]: authentication failure;
> logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D rhost=3D60.13.190.54
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29395]: check pass; user =
unknown
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29395]: authentication failure;
> logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D rhost=3D60.13.190.54
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29388]: check pass; user =
unknown
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29388]: authentication failure;
> logname=3D uid=3D0 euid=3D0 tty=3D ruser=3D rhost=3D60.13.190.54
>
> May 18 08:33:56 venus vsftpd(pam_unix)[29379]: check pass; user =
unknown
>
> =20
>
> We go and add an entry to a file which utilizes iptables and then
> reload that file which executes:
>
> iptables -t filter -A OUTPUT -d 60.13.190.54 -j LOG --log-prefix
> HACK-BLOCK-1200
>
> iptables -t filter -A OUTPUT -d 60.13.190.54 -j DROP
>
> =20
>
> Resulting in stopping the hacker:
>
> May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN=3D OUT=3Deth0
> SRC=3D208.244.164.44 DST=3D60.13.190.54 LEN=3D74 TOS=3D0x00 =
PREC=3D0x00 TTL=3D64
> ID=3D58286 DF PROTO=3DTCP SPT=3D21 DPT=3D35075 WINDOW=3D1448 =
RES=3D0x00 ACK PSH
> URGP=3D0
>
> May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN=3D OUT=3Deth0
> SRC=3D208.244.165.58 DST=3D60.13.190.54 LEN=3D88 TOS=3D0x00 =
PREC=3D0x00 TTL=3D64
> ID=3D8969 DF PROTO=3DTCP SPT=3D21 DPT=3D34306 WINDOW=3D1448 RES=3D0x00 =
ACK PSH URGP=3D0
>
> May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN=3D OUT=3Deth0
> SRC=3D208.244.165.58 DST=3D60.13.190.54 LEN=3D88 TOS=3D0x00 =
PREC=3D0x00 TTL=3D64
> ID=3D8971 DF PROTO=3DTCP SPT=3D21 DPT=3D34306 WINDOW=3D1448 RES=3D0x00 =
ACK PSH FIN
> URGP=3D0
>
> May 18 08:40:09 mars kernel: HACK-BLOCK-1200IN=3D OUT=3Deth0
> SRC=3D208.244.165.49 DST=3D60.13.190.54 LEN=3D88 TOS=3D0x00 =
PREC=3D0x00 TTL=3D64
> ID=3D2578 DF PROTO=3DTCP SPT=3D21 DPT=3D49626 WINDOW=3D1448 RES=3D0x00 =
ACK PSH URGP=3D0
>
> =20
>
> Any ideas would be appreciated=E2=80=A6
>
>
> Joey
>
> =20
>

--=20
-------------------------------------
Nicholas M Saraniti
Director of Operations
Commcare Pharmacy
Ph: (888)203-7973
Fx: (888)203-7980
Nick@CommcarePharmacy.com
-------------------------------------
This email and any attachments are intended for the exclusive and =
confidential use of the recipient.  If you are not the intended =
recipient, please do not read or take action in reliance upon this =
message.  If you have received this in error, please notify us =
immediately by return e-mail to admin@commcarepharmacy.com and promptly =
delete this message and its attachments from your computer system.  We =
do not waive attorney-client or work-product privilege by the =
transmission of this message.

_______________________________________________
Linux mailing list
Linux@flux.org
http://www.flux.org/mailman/listinfo/linux