Re: [suse-security] Deny IP address's
Hi All, the idea seems sound to me, however shouldn't these new rules be insert at the beginning of the INPUT chain using "iptables -I" rather than "iptables -A"? (Otherwise there is the possibility that an earlier rule make actually accept the packet.) In either case if a script why not use the power of scripting to simplify the task, pass the ip address(es) as parms to the script and use a for loop to index through each passed ip address: #!/bin/bash for x in $@ do iptables -I blah blah blah -s $x blah blah blah done Such a script could then be invoked whenever necessary and with as many ip addresses as required. All the Best / Mit Freundlichen Gruessen Mark G. Perry IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH Schoenaicher Strasse 220, 71032 Boeblingen, Germany Email/Sametime: perry@de.ibm.com Office Tel: (+49)-7031-16-3626 Nigel Gaylard wrote:
Hi All
I would like to create a list of IP address's that should be denied all access to my server. I have currently 2 or 3 people making a deliberate effort to hack into my SSH port, and so I would like to deny them access to it at firewall level, as well as all other ports.
The following may do the trick and log and drop all attacks coming in through the INPUT chain, FROM THE SPECIFIED IP ADDRESSES ONLY. You should be able to add this to your existing Firewall rules. i.e. don't clear what you already have in IPtables rules. Just make this into an executable script and run it WITHOUT flushing your current rules. ================================================== THIS IS JUST A QUICK FIX - MAY NEED TO BE MODIFIED ** TEST FIRST AND USE AT YOUR OWN RISK!!! ** ================================================== (Replace ip.address(n).to.block with the known IP address of each suspected attacker). # Log attack attempts from know IP address1 IPTABLES -A INPUT -s ip.address1.to.block -j LOG \ --log-prefix 'DROPPED PKTS FROM ip.address1.to.block ' # drop ALL packets from this address1 IPTABLES -A INPUT -s ip.address1.to.block -j DROP # Log attack attempts from know IP address2 IPTABLES -A INPUT -s ip.address2.to.block -j LOG \ --log-prefix 'DROPPED PKTS FROM ip.address2.to.block ' # drop ALL packets from this address2 IPTABLES -A INPUT -s ip.address2.to.block -j DROP # Log attack attempts from know IP address3 IPTABLES -A INPUT -s ip.address3.to.block -j LOG \ --log-prefix 'DROPPED PKTS FROM ip.address3.to.block ' # drop ALL packets from this address3 IPTABLES -A INPUT -s ip.address3.to.block -j DROP see man iptables for more information if required. HTH - Keith Roberts -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Wed, 30 Jul 2003, Mark Perry wrote:
Hi All, the idea seems sound to me, however shouldn't these new rules be insert at the beginning of the INPUT chain using "iptables -I" rather than "iptables -A"? (Otherwise there is the possibility that an earlier rule make actually accept the packet.)
In either case if a script why not use the power of scripting to simplify the task, pass the ip address(es) as parms to the script and use a for loop to index through each passed ip address:
#!/bin/bash for x in $@ do iptables -I blah blah blah -s $x blah blah blah done
Such a script could then be invoked whenever necessary and with as many ip addresses as required.
Yes, your right there Mark! Block the packets at the start of the chain! Using script variables is also a better idea. As somebody else on the list has mentioned, its probably best to block EVERYTHING FIRST, and then selectively allow packets to pass through the firewall, Regards - Keith Roberts
All the Best / Mit Freundlichen Gruessen Mark G. Perry
IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH Schoenaicher Strasse 220, 71032 Boeblingen, Germany Email/Sametime: perry@de.ibm.com Office Tel: (+49)-7031-16-3626
Nigel Gaylard wrote:
Hi All
I would like to create a list of IP address's that should be denied all access to my server. I have currently 2 or 3 people making a deliberate effort to hack into my SSH port, and so I would like to deny them access to it at firewall level, as well as all other ports.
The following may do the trick and log and drop all attacks coming in through the INPUT chain, FROM THE SPECIFIED IP ADDRESSES ONLY.
You should be able to add this to your existing Firewall rules.
i.e. don't clear what you already have in IPtables rules.
Just make this into an executable script and run it WITHOUT flushing your current rules.
================================================== THIS IS JUST A QUICK FIX - MAY NEED TO BE MODIFIED ** TEST FIRST AND USE AT YOUR OWN RISK!!! ** ==================================================
(Replace ip.address(n).to.block with the known IP address of each suspected attacker).
# Log attack attempts from know IP address1 IPTABLES -A INPUT -s ip.address1.to.block -j LOG \ --log-prefix 'DROPPED PKTS FROM ip.address1.to.block '
# drop ALL packets from this address1 IPTABLES -A INPUT -s ip.address1.to.block -j DROP
# Log attack attempts from know IP address2 IPTABLES -A INPUT -s ip.address2.to.block -j LOG \ --log-prefix 'DROPPED PKTS FROM ip.address2.to.block '
# drop ALL packets from this address2 IPTABLES -A INPUT -s ip.address2.to.block -j DROP
# Log attack attempts from know IP address3 IPTABLES -A INPUT -s ip.address3.to.block -j LOG \ --log-prefix 'DROPPED PKTS FROM ip.address3.to.block '
# drop ALL packets from this address3 IPTABLES -A INPUT -s ip.address3.to.block -j DROP
see man iptables for more information if required.
HTH - Keith Roberts
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
keith@topaz5.worldonline.co.uk -
Mark Perry