Sometime back Gerald sent me this setup for my iptables -- It has helped block plenty of junk at the BO.
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW -m recent --set --name SSH2 /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j LOG --log-level 4 --log-prefix 'Block SSH 20200 Attack' /sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j LOG --log-level 4 --log-prefix 'Block SSH 22 Attack' /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m recent --set --name Dovecot /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j LOG --log-level 4 --log-prefix 'Block Dovecot Attack' /sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j DROP /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j LOG --log-level 4 --log-prefix 'Block SMTP Attack' /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP At 08:13 AM 2/27/2013, you wrote: > > and added them to deny.hosts.rules in apf but when I restart sendmail, > there they are. >------- End of Original Message ------- > >Will, > >Using the -A switch probably won't work. That appends the rule to the end >of the chain, and the typical BX chain is already full of "ALLOWS" - >making your deny useless. > >Plus, you're using the wrong chain name. In BlueOnyx - use the chain >"acctin", not "INPUT". > >Try this syntax to block them out. I use this all the time. > >iptables -I acctin 1 -s 201.238.254.143 -j DROP > >That will insert the rule as number one in the incoming traffic chain - so >it will be acted on before any allows let the traffic in. And if you want >to see if its working, use > >iptables -L -n -v > >Which will display the IPTables rules along with how many packets and >bytes each rule has acted on. The first column is packets. It should >increment for each sendmail attempt that is blocked. So you can watch it >for a while and if its increasing - you've successfully blocked that IP >(which shouldn't be showing up in the processes any more). > >Chuck _______________________________________________ Blueonyx mailing list [email protected] http://mail.blueonyx.it/mailman/listinfo/blueonyx
