-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2006-03-25 at 12:24 -0500, Damon Register wrote:
Just recently I noticed on my SuSE 9.0 computer a similar problem with vsftpd attacks. I remember having read this thread so I searched for it to give me some ideas on how to respond. I mentioned my problem to an admin at work and he also thought the above approach was a good idea especially since I only run that for a few family and friends.
When possible, yes.
With a little Googling and man page reading I figured out how to configure the hosts.allow and deny. In hosts.deny I have ALL : ALL and in hosts.allow I have something like ALL : somedomain.com. The problem is that the connecting client times out trying to connect. I remember reading somewhere that I had to put the host in hosts or the DNS lookup would timeout so I suppose that is what is happening. If somedomain.com was a fixed address host, then putting it in hosts would be no problem. Since my family and friends all have dynamic addresses, this is a problem. We all use the free name from www.noip.com but I can't put those in hosts since the address is not fixed.
How can I get the tcp_wrappers stuff to work with DNS so I can use the dynamic addresses? So far, all the Googling I have done has led me to a few pages that give some basic info about setting up the hosts.allow and hosts.deny files but I haven't found anything about this DNS problem.
I don't think it is a timeout problem. The problem is that you need reverse name solving to work. I mean, you need to resolve the IP your friends are comming in to the name you allowed in the hosts.allow. At the time of the connection, the only thing known is the IP. From the IP the system finds out a name... that will not be that of noip.com, but one from their ISP, or none at all. Bad luck. You could setup a complicated mail robot. Your friend sends a gpg authentificated email saying the IP that he is comming from. The robot, fired by procmail, interprets that, adds the IP to the hosts.allow file, and then your friend can connect. The robot can also program an "at" command to remove the IP after an hour, for instance. But no, don't ask me for such a robot, I don't have it! Another idea: use the "recent" module of iptables to automatically block repeated "polls". There was a brief thread in the security list time ago. I I use this in SuSEfirewall2-custom, function fw_custom_before_antispoofing(): iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT On the sixth attempt to connect to port 22 within 60 seconds, that IP is rejected. It is simple to modify. Don't ask me much about it, I'm no expert on iptables ;-) - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEJamAtTMYHG2NR9URAgQOAKCKjqGAiCE6ovoiNlkydHJkTEJuQQCggJSl XO88qQRab/d6B1SZeyl/Y4g= =XbpO -----END PGP SIGNATURE-----