Mailinglist Archive: opensuse (5130 mails)
| < Previous | Next > |
Re: [SLE] Intrusion attempts and hosts.deny/hosts.allow
- From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
- Date: Thu, 18 May 2006 17:00:04 -0600
- Message-id: <446CFC74.1050103@xxxxxxxxxxxxx>
On 18/05/06 10:10, Peter Sutter wrote:
>There is some hacker from the outside world trying to get into
>mysql . I have ALL : ALL in hosts.deny with specific hosts listed
>in hosts.allow.
>
If this guy is this much of a bother, I would blacklist him in the
firewall. If you are using SuSEfirewall2, then you can put the
command(s) into /etc/sysconfig/scripts/SuSEfirewall2-custom, in an
appropriate function. Easiest would probably be
fw_custom_before_port_handling() because this one is called before the
INPUT and FORWARD traffic is redirected to another chain within the
firewall.
First log his attempts, maximum 3 times per minute, with a special prefix:
iptables -A INPUT -s 219.156.0.0/16 -m limit --limit 3/min
-j LOG --log-prefix "Wanker "
Now you can do whatever you want/can legally get away with ( ;-) ):
iptables -A INPUT -s 219.156.0.0/16 -j DROP
Maybe he'll just go away forever if you use REJECTs instead:
iptables -A INPUT -p tcp -s 219.156.0.0/16 -j REJECT
--reject-with tcp-reset
iptables -A INPUT -p udp -s 219.156.0.0/16 -j REJECT
--reject-with icmp-port-unreachable
If this doesn't give the hint, then use the single DROP instead.
Note: in the 9.3 SuSEfirewall, these two commands can be replaced by a
single "iptables -A INPUT -s 219.156.0.0/16 -j reject_func". In your
version, run "iptables-save |grep reject_func" to see if the same chain
is defined.
If it is just one particular IP, you could even forward the packets back
to him on some really nasty port, say 0 -- fill up his logs. I do not
guarantee the legality of this, however ;-) It could also eat up your
outbound bandwidth very quickly, depending on how persistent this moron is.
While this does not address your specific questions (I don't know the
answer to the first one), it should give an easier way to handle this
guy, short of setting up a honeypot. It also keeps logging of the
intrusion attempts, but at a more manageable level.
PS, I just did a "whois", and you could probably change the netmask from
/16 to /15 which will trap vast tracts of {a recently emerging economic
giant with lots of net kiddies and open email servers, which shall not
be further identified ;-) }.
>There is some hacker from the outside world trying to get into
>mysql . I have ALL : ALL in hosts.deny with specific hosts listed
>in hosts.allow.
>
If this guy is this much of a bother, I would blacklist him in the
firewall. If you are using SuSEfirewall2, then you can put the
command(s) into /etc/sysconfig/scripts/SuSEfirewall2-custom, in an
appropriate function. Easiest would probably be
fw_custom_before_port_handling() because this one is called before the
INPUT and FORWARD traffic is redirected to another chain within the
firewall.
First log his attempts, maximum 3 times per minute, with a special prefix:
iptables -A INPUT -s 219.156.0.0/16 -m limit --limit 3/min
-j LOG --log-prefix "Wanker "
Now you can do whatever you want/can legally get away with ( ;-) ):
iptables -A INPUT -s 219.156.0.0/16 -j DROP
Maybe he'll just go away forever if you use REJECTs instead:
iptables -A INPUT -p tcp -s 219.156.0.0/16 -j REJECT
--reject-with tcp-reset
iptables -A INPUT -p udp -s 219.156.0.0/16 -j REJECT
--reject-with icmp-port-unreachable
If this doesn't give the hint, then use the single DROP instead.
Note: in the 9.3 SuSEfirewall, these two commands can be replaced by a
single "iptables -A INPUT -s 219.156.0.0/16 -j reject_func". In your
version, run "iptables-save |grep reject_func" to see if the same chain
is defined.
If it is just one particular IP, you could even forward the packets back
to him on some really nasty port, say 0 -- fill up his logs. I do not
guarantee the legality of this, however ;-) It could also eat up your
outbound bandwidth very quickly, depending on how persistent this moron is.
While this does not address your specific questions (I don't know the
answer to the first one), it should give an easier way to handle this
guy, short of setting up a honeypot. It also keeps logging of the
intrusion attempts, but at a more manageable level.
PS, I just did a "whois", and you could probably change the netmask from
/16 to /15 which will trap vast tracts of {a recently emerging economic
giant with lots of net kiddies and open email servers, which shall not
be further identified ;-) }.
| < Previous | Next > |