[gentoo-user] iptables TARPIT match
What do I need to do to enable the TARPIT match in IPTables? I have version 1.2.11 of IPTables and I am running Kernel 2.4.28-gentoo-r5 When I try and add a tarpit rule, such as iptables -A INPUT -p TCP --dport 80 -j TARPIT I get back iptables: No chain/target/match by that name Any help appreciated. -- Mike This message was sent for a thompsonmike.co.uk address, and may not reflect the views or opinions of the Network owner. All Views and Opinions are those of the author. binA2kBU2lzkh.bin Description: PGP Public Key -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT software to block IPs automatically?
Quoting A. Khattri [EMAIL PROTECTED]: On Fri, 11 Feb 2005, Michael Thompson wrote: Try this Good idea (not) - someone could spoof your IP and lock you out of your own machine... You could put a exception in the script for that IP, or the Interface, ie your local network interface is not blocked, but the Internet facing NIC is. I will admit there are better ways of doing it, such as higher/different port number, port knocking just adds another ring of hoops to jump thru. -- Mike This message was sent for a thompsonmike.co.uk address, and may not reflect the views or opinions of the Network owner. All Views and Opinions are those of the author. bincqOO5D12GT.bin Description: PGP Public Key -- gentoo-user@gentoo.org mailing list
[gentoo-user] Possibe?
I have a issue where I cannot connect to my server because the firewall only allows ports 80 and 443 out. I previously ran SSH on port 443 to overcome this, but I have had to implement a HTTPS solution for users who wanted secure access, so that is now gone. This system has DNS records for ssh.server.co.uk and www.server.co.uk, so can I use IPTables or similar to recognise if it is being connected to via ssh.server.co.uk on port 443 and forward the traffic to port 22? If www.server.co.uk:443 is used apache gets the traffic? Or is this (As I suspect) Impossible? -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT software to block IPs automatically?
R'twick Niceorgaw wrote: Hi all, Recently I'm receiving a lot of failed ssh login attempts on my box for user root as well as a whole lot of other users which doesn't even exist. I'm getting tired of blocking these IPs manually everyday. Is there any software that can look in the logs and put these IPs in iptables to drop automatically (either in a daemon mode or via cron)? TIA -R'twick Try this #!/bin/bash cat /scripts/bad-ips /scripts/bad-ssh cat /var/log/messages | grep sshd | grep Invalid | sed -e 's/^.*from //g' | sort -u | uniq /scripts/bad-ssh zcat /var/log/messages.[1-25].gz | grep sshd | grep Invalid | sed -e 's/^.*from //g' | sort -u | uniq /scripts/bad-ssh cat /scripts/bad-ssh |sed -e 's/::://g'|sort -u |sort -n | uniq /scripts/bad-ips /sbin/iptables -F BLACKLIST echo Writing IPTables Rulesets for i in `cat /scripts/bad-ips` do /sbin/iptables -A BLACKLIST -p ALL -i eth1 -s $i/32 -j LOG --log-prefix BLACKLISTED: /sbin/iptables -A BLACKLIST -p ICMP -i eth1 -s $i/32 -j DROP /sbin/iptables -A BLACKLIST -p TCP -i eth1 -s $i/32 -j REJECT /sbin/iptables -A BLACKLIST -p UDP -i eth1 -s $i/32 -j REJECT echo -n . done echo echo Done. iptables -A BLACKLIST -j RETURN -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT software to block IPs automatically?
R'twick Niceorgaw wrote: Hi all, Recently I'm receiving a lot of failed ssh login attempts on my box for user root as well as a whole lot of other users which doesn't even exist. I'm getting tired of blocking these IPs manually everyday. Is there any software that can look in the logs and put these IPs in iptables to drop automatically (either in a daemon mode or via cron)? TIA -R'twick Sorry, should have looked before posting! I dont block any more, no point. The IP's change so frequently, I have never seen the same IP in any multiple attempts. But if you want to use that code, it will search the message logs for Invalid users and add them to a blacklist. You should create the chain first, and call it from your INPUT chain. /sbin/iptables -N BLACKLIST /sbin/iptables -I INPUT 1 -p TCP --dport 22 -j BLACKLIST Just call it from cron whenever is suitable for you. If you start getting iptables resource unavailable errors, remove the zcat lines, so that it is only searching the current log file. Better than having to run this code, run your SSHD Deamon on a non-standard port, such as 222, the scans will stop immeadiatly. Thanks Michael -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT software to block IPs automatically?
R'twick Niceorgaw wrote: Hi Micheal, Thanks a lot for the quick response and seems this is pretty much what I really needed. However, just a minor problem and i'm not that strong in sed to fix it. In the /scripts/bad-ips file, I get entries like 222.98.152.130 port 60800 ssh2 222.98.152.130 port 60830 ssh2 222.98.152.130 port 60837 ssh2 222.98.152.130 port 60839 ssh2 Can you post a line from your log so I can see what it looks like. That code works fine on syslog-ng and the latest SSHD. Make sure that you change Your ip address in what you post. Thanks Michael. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT software to block IPs automatically?
Mike Noble wrote: | -R'twick Your firewall should block all incoming ssh and only allow ssh from address that you allow. This way you do not have to keep a list of all the bad address just a list of all the good ones. Mike Good point, why did I not think of that! ;) -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] OT software to block IPs automatically?
R'twick Niceorgaw wrote: On Fri, 2005-02-11 at 03:16 +, Michael Thompson wrote: R'twick Niceorgaw wrote: Can you post a line from your log so I can see what it looks like. That code works fine on syslog-ng and the latest SSHD. Make sure that you change Your ip address in what you post. Feb 9 10:35:36 konark sshd[4577]: Failed password for illegal user user from :::xxx.xxx.xxx.xxx port 38107 ssh2 Feb 9 10:35:35 konark sshd[4571]: Failed password for root from :::xxx.xxx.xxx.xxx port 38055 ssh2 Thanks again for the help. PS: I just looked at bad-ips and I have 7561 entries there just from todays log. R'twick Try running this on your log by hand and see what you get back, if it works Ok, just modify it to fit in to the script. grep Failed password for illegal user /var/log/messages | sed -e 's/.*user [^\ ]\+ from //' -e 's/ port.*//' | sort | uniq -- gentoo-user@gentoo.org mailing list
[gentoo-user] Spam Attempt?
For the past hour I have just watched over 200 dialup machines from all over the world attemp to connect to my Mailserver They were all rejected like the following Jan 19 09:05:07 polaris postfix/smtpd[24494]: warning: Illegal address syntax from host195-202.pool82191.interbusiness.it[82.191.202.195] in MAIL command: @ This lasted for about a hour. All I can think of is that I was picked on by some script/virus/Trojan looking to spam. Any Views? -- Mike http://www.thompsonmike.co.uk -- gentoo-user@gentoo.org mailing list
[gentoo-user] quota check
I run quota for all my network users, and as far as I understand it, quota checks the usage on startup. My server does not often get rebooted, so do I need to periodicly run Code: /etc/init.d/quota stop quotacheck -avug /etc/init.d/quota start to make sure that users are not over quota, or does quota do that it's self with no interaction from me? -- Mike http://www.thompsonmike.co.uk -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] [OT]: Looking for a CMS..
Martoni wrote: On Sun, 09 Jan 2005 22:24:01 +0100, Daniel G. Siegel [EMAIL PROTECTED] wrote: Hi! I'm looking for a good CMS, that i can run on my Gentoo machine and on the FreeBSD-Server, where i don't have a root-account. It doesn't have to exist in portage, i could write an ebuild. Go to www.opensourcecms.com, there you can try many different CMS and decide which one you like without having to install many different things! -- gentoo-user@gentoo.org mailing list
