Hi All I would like to create a list of IP address's that should be denied all access to my server. I have currently 2 or 3 people making a deliberate effort to hack into my SSH port, and so I would like to deny them access to it at firewall level, as well as all other ports. I can't seem to find information in the Suse documentation on firewall2. Many thanks Nigel Gaylard
Nigel Gaylard wrote:
Hi All
I would like to create a list of IP address's that should be denied all access to my server. I have currently 2 or 3 people making a deliberate effort to hack into my SSH port, and so I would like to deny them access to it at firewall level, as well as all other ports. I can't seem to find information in the Suse documentation on firewall2.
Many thanks
Nigel Gaylard
Hi, you seem to need a fast solution: The best thing I now is to create a special rule for iptables (on older systems it's ipchains). In a standard ip-tables configuration you have three chains called INPUT, FORWARD and OUTPUT. Packets that are forwarded to other PC's (no matter whether in the local network or in the Internet) are Filtered according to the Rules of the FORWARD chain. Packets, whose destination is the Router/FW, are filtered by the INPUT chain and packets, that are sent by the Router/FW, are filtered by the OUTPUT chain. You can get an overview of the iptables currently in use with the 'iptables -L' command. This way, you can protect your complete LAN, not only your server. Big Problem: All programs (like FW's, scripts, etc.) that may/can change rules in iptables can - and probably will - flush your self created rule. We use this technique to disable all internet access for users (inside our LAN) who didn't pay bills etc. It works fine on our server, which is running on a mixture of SuSE 7.x and several upgrades for special programs. But I haven't tested it on other systems using other FW's, etc. Good Luck, Simon
Hi, First of all, blocking specific IP addresses will offer no protection if the attack came from a public dial-in-ISP where the address may change every time. Even if the attacker always uses the same IP address (which would be very unwise) he might try the same stuff from a different location (with a different address). But if it helps you sleep better, add a custom iptables rule in /etc/sysconfig/scripts/SuSEfirewall2-custom and activate this script in the main config file. Better protection will be accomplished by explicitly securing the SSH service (and the other services as well). The default config is fairly secure, but can possibly be enhanced. For example, disable protocol 1 unless you really need it. Good night, Holger Am Dienstag, 29. Juli 2003 21:27 schrieb Nigel Gaylard:
Hi All
I would like to create a list of IP address's that should be denied all access to my server. I have currently 2 or 3 people making a deliberate effort to hack into my SSH port, and so I would like to deny them access to it at firewall level, as well as all other ports. I can't seem to find information in the Suse documentation on firewall2.
Many thanks
Nigel Gaylard
Hi Nigel,
I would like to create a list of IP address's that should be denied all access to my server. I have currently 2 or 3 people making a deliberate effort to hack into my SSH port, and so I would like to deny them access to it at firewall level, as well as all other ports. I can't seem to find information in the Suse documentation on firewall2.
--> Usually, one does it the other way around: deny access for everybody and then allow selectively only those IPs that are allowed to connect. This has the advantage to secure your server even if the bad guys change IPs or other people try to attack you. You should leave FW_SERVICES_EXT_TCP empty and put the allowed SSH IPs/Nets into FW_TRUSTED_NETS. Unfortunately, I'm not god in IPTABLES so I can't tell you which rules you have to add to reject single IPs. But they would have to go to /etc/sysconfig/scripts/SuSEfirewall2-custom Probably in "fw_custom_before_antispoofing()" add something like (untested): iptables -I INPUT -j DROP -s IP_to_block HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Nigel Gaylard wrote:
Hi All
I would like to create a list of IP address's that should be denied all access to my server. I have currently 2 or 3 people making a deliberate effort to hack into my SSH port, and so I would like to deny them access to it at firewall level, as well as all other ports. I can't seem to find information in the Suse documentation on firewall2.
This is probably pretty late now, but in addition to the actions on the firewall, I would consider putting up a honeypot. I would move the actual machine to another IP-address and give the address under attac to the honeypot. Monitor carefully and you might fool them. Also, if you have IP-Addresses, you can look up the owners. You might contact those (via e-mail or regular mail). That way you would actually do something against the attackers, instead of 'only' trying to keep them out. My 0,02 Euro, Stefan
participants (5)
-
Armin Schoech -
Holger Schletz -
Nigel Gaylard -
Simon Hoerder -
Stefan Waidele jun.