On Friday 19 May 2006 01:00, Darryl Gregorash wrote:
On 18/05/06 10:10, Peter Sutter wrote:
There is some hacker from the outside world trying to get into mysql . I have ALL : ALL in hosts.deny with specific hosts listed in hosts.allow.
If this guy is this much of a bother, I would blacklist him in the firewall. If you are using SuSEfirewall2, then you can put the command(s) into /etc/sysconfig/scripts/SuSEfirewall2-custom, in an appropriate function. Easiest would probably be fw_custom_before_port_handling() because this one is called before the INPUT and FORWARD traffic is redirected to another chain within the firewall.
First log his attempts, maximum 3 times per minute, with a special prefix:
iptables -A INPUT -s 219.156.0.0/16 -m limit --limit 3/min -j LOG --log-prefix "Wanker "
Now you can do whatever you want/can legally get away with ( ;-) ):
iptables -A INPUT -s 219.156.0.0/16 -j DROP
Maybe he'll just go away forever if you use REJECTs instead:
iptables -A INPUT -p tcp -s 219.156.0.0/16 -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -s 219.156.0.0/16 -j REJECT --reject-with icmp-port-unreachable
If this doesn't give the hint, then use the single DROP instead.
[...] Here's another option: You could also use the TARPIT extension from patch-o-matic. See http://www.netfilter.org/patch-o-matic/pom-extra.html, 4th item. This requires recompiling the kernel. iptables already knows about TARPIT (man iptables), all it needs is the TARPIT kernel module. Cheers, Leen