On 18/05/06 10:10, Peter Sutter wrote:
There is some hacker from the outside world trying to get into mysql . I have ALL : ALL in hosts.deny with specific hosts listed in hosts.allow.
If this guy is this much of a bother, I would blacklist him in the firewall. If you are using SuSEfirewall2, then you can put the command(s) into /etc/sysconfig/scripts/SuSEfirewall2-custom, in an appropriate function. Easiest would probably be fw_custom_before_port_handling() because this one is called before the INPUT and FORWARD traffic is redirected to another chain within the firewall. First log his attempts, maximum 3 times per minute, with a special prefix: iptables -A INPUT -s 219.156.0.0/16 -m limit --limit 3/min -j LOG --log-prefix "Wanker " Now you can do whatever you want/can legally get away with ( ;-) ): iptables -A INPUT -s 219.156.0.0/16 -j DROP Maybe he'll just go away forever if you use REJECTs instead: iptables -A INPUT -p tcp -s 219.156.0.0/16 -j REJECT --reject-with tcp-reset iptables -A INPUT -p udp -s 219.156.0.0/16 -j REJECT --reject-with icmp-port-unreachable If this doesn't give the hint, then use the single DROP instead. Note: in the 9.3 SuSEfirewall, these two commands can be replaced by a single "iptables -A INPUT -s 219.156.0.0/16 -j reject_func". In your version, run "iptables-save |grep reject_func" to see if the same chain is defined. If it is just one particular IP, you could even forward the packets back to him on some really nasty port, say 0 -- fill up his logs. I do not guarantee the legality of this, however ;-) It could also eat up your outbound bandwidth very quickly, depending on how persistent this moron is. While this does not address your specific questions (I don't know the answer to the first one), it should give an easier way to handle this guy, short of setting up a honeypot. It also keeps logging of the intrusion attempts, but at a more manageable level. PS, I just did a "whois", and you could probably change the netmask from /16 to /15 which will trap vast tracts of {a recently emerging economic giant with lots of net kiddies and open email servers, which shall not be further identified ;-) }.