[Linux] Firewall Rule or App?

Nicholas Saraniti linux@flux.org
Fri, 18 May 2007 09:12:02 -0400 

yes, it's called deny hosts
*deny**hosts*.sourceforge.net

Joey wrote:
>
> I remember a while back ago someone had a small script which would
> detect someone trying to hack into a server and block them for a set
> period of time automatically.
>
> Does anyone have reference to this or the script?
>
> Maybe we can do this via IP tables, but we just don’t have the experience.
>
>  
>
> Currently when we physically see this type of activity:
>
> May 18 08:33:53 venus vsftpd(pam_unix)[29390]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
>
> May 18 08:33:54 venus vsftpd(pam_unix)[29393]: check pass; user unknown
>
> May 18 08:33:54 venus vsftpd(pam_unix)[29393]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29395]: check pass; user unknown
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29395]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29388]: check pass; user unknown
>
> May 18 08:33:55 venus vsftpd(pam_unix)[29388]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=60.13.190.54
>
> May 18 08:33:56 venus vsftpd(pam_unix)[29379]: check pass; user unknown
>
>  
>
> We go and add an entry to a file which utilizes iptables and then
> reload that file which executes:
>
> iptables -t filter -A OUTPUT -d 60.13.190.54 -j LOG --log-prefix
> HACK-BLOCK-1200
>
> iptables -t filter -A OUTPUT -d 60.13.190.54 -j DROP
>
>  
>
> Resulting in stopping the hacker:
>
> May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN= OUT=eth0
> SRC=208.244.164.44 DST=60.13.190.54 LEN=74 TOS=0x00 PREC=0x00 TTL=64
> ID=58286 DF PROTO=TCP SPT=21 DPT=35075 WINDOW=1448 RES=0x00 ACK PSH
> URGP=0
>
> May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN= OUT=eth0
> SRC=208.244.165.58 DST=60.13.190.54 LEN=88 TOS=0x00 PREC=0x00 TTL=64
> ID=8969 DF PROTO=TCP SPT=21 DPT=34306 WINDOW=1448 RES=0x00 ACK PSH URGP=0
>
> May 18 08:40:08 mars kernel: HACK-BLOCK-1200IN= OUT=eth0
> SRC=208.244.165.58 DST=60.13.190.54 LEN=88 TOS=0x00 PREC=0x00 TTL=64
> ID=8971 DF PROTO=TCP SPT=21 DPT=34306 WINDOW=1448 RES=0x00 ACK PSH FIN
> URGP=0
>
> May 18 08:40:09 mars kernel: HACK-BLOCK-1200IN= OUT=eth0
> SRC=208.244.165.49 DST=60.13.190.54 LEN=88 TOS=0x00 PREC=0x00 TTL=64
> ID=2578 DF PROTO=TCP SPT=21 DPT=49626 WINDOW=1448 RES=0x00 ACK PSH URGP=0
>
>  
>
> Any ideas would be appreciated…
>
>
> Joey
>
>  
>

-- 
-------------------------------------
Nicholas M Saraniti
Director of Operations
Commcare Pharmacy
Ph: (888)203-7973
Fx: (888)203-7980
Nick@CommcarePharmacy.com
-------------------------------------
This email and any attachments are intended for the exclusive and confidential use of the recipient.  If you are not the intended recipient, please do not read or take action in reliance upon this message.  If you have received this in error, please notify us immediately by return e-mail to admin@commcarepharmacy.com and promptly delete this message and its attachments from your computer system.  We do not waive attorney-client or work-product privilege by the transmission of this message.