Mailinglist Archive: opensuse (5130 mails)

< Previous Next >
Re: [SLE] Intrusion attempts and hosts.deny/hosts.allow
  • From: Leendert Meyer <leen.meyer@xxxxxxx>
  • Date: Fri, 19 May 2006 09:52:26 +0200
  • Message-id: <200605190952.26544.leen.meyer@xxxxxxx>
On Friday 19 May 2006 01:00, Darryl Gregorash wrote:
> On 18/05/06 10:10, Peter Sutter wrote:
> >There is some hacker from the outside world trying to get into
> >mysql . I have ALL : ALL in hosts.deny with specific hosts listed
> >in hosts.allow.
>
> If this guy is this much of a bother, I would blacklist him in the
> firewall. If you are using SuSEfirewall2, then you can put the
> command(s) into /etc/sysconfig/scripts/SuSEfirewall2-custom, in an
> appropriate function. Easiest would probably be
> fw_custom_before_port_handling() because this one is called before the
> INPUT and FORWARD traffic is redirected to another chain within the
> firewall.
>
> First log his attempts, maximum 3 times per minute, with a special prefix:
>
> iptables -A INPUT -s 219.156.0.0/16 -m limit --limit 3/min
> -j LOG --log-prefix "Wanker "
>
> Now you can do whatever you want/can legally get away with ( ;-) ):
>
> iptables -A INPUT -s 219.156.0.0/16 -j DROP
>
> Maybe he'll just go away forever if you use REJECTs instead:
>
> iptables -A INPUT -p tcp -s 219.156.0.0/16 -j REJECT
> --reject-with tcp-reset
> iptables -A INPUT -p udp -s 219.156.0.0/16 -j REJECT
> --reject-with icmp-port-unreachable
>
> If this doesn't give the hint, then use the single DROP instead.

[...]

Here's another option:

You could also use the TARPIT extension from patch-o-matic. See
http://www.netfilter.org/patch-o-matic/pom-extra.html, 4th item. This
requires recompiling the kernel.

iptables already knows about TARPIT (man iptables), all it needs is the TARPIT
kernel module.

Cheers,

Leen

< Previous Next >
Follow Ups