Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] Deny IP address's
  • From: keith@xxxxxxxxxxxxxxxxxxxxxxxx
  • Date: Wed, 30 Jul 2003 14:51:23 +0000 (GMT)
  • Message-id: <Pine.LNX.4.44.0307301437270.1080-100000@xxxxxxxxxxx>

On Wed, 30 Jul 2003, Mark Perry wrote:

>
> Hi All,
> the idea seems sound to me, however shouldn't these new rules be insert at
> the beginning of the INPUT chain using "iptables -I" rather than "iptables
> -A"?
> (Otherwise there is the possibility that an earlier rule make actually
> accept the packet.)
>
> In either case if a script why not use the power of scripting to simplify
> the task, pass the ip address(es) as parms to the script and use a for loop
> to index through each passed ip address:
>
> #!/bin/bash
> for x in $@
> do
> iptables -I blah blah blah -s $x blah blah blah
> done
>
> Such a script could then be invoked whenever necessary and with as many ip
> addresses as required.

Yes, your right there Mark!

Block the packets at the start of the chain!

Using script variables is also a better idea.

As somebody else on the list has mentioned, its probably
best to block EVERYTHING FIRST, and then selectively allow
packets to pass through the firewall,

Regards - Keith Roberts



>
> All the Best / Mit Freundlichen Gruessen
> Mark G. Perry
>
> IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
> Schoenaicher Strasse 220, 71032 Boeblingen, Germany
> Email/Sametime: perry@xxxxxxxxxx
> Office Tel: (+49)-7031-16-3626
>
>
> Nigel Gaylard wrote:
>
> >Hi All
> >
> >I would like to create a list of IP address's that should be denied all
> >access to my server. I have currently 2 or 3 people making a deliberate
> >effort to hack into my SSH port, and so I would like to deny them access
> to
> >it at firewall level, as well as all other ports.
>
> The following may do the trick and log and drop all attacks
> coming in through the INPUT chain, FROM THE SPECIFIED IP
> ADDRESSES ONLY.
>
> You should be able to add this to your existing Firewall
> rules.
>
> i.e. don't clear what you already have in IPtables rules.
>
> Just make this into an executable script and run it WITHOUT
> flushing your current rules.
>
> ==================================================
> THIS IS JUST A QUICK FIX - MAY NEED TO BE MODIFIED
> ** TEST FIRST AND USE AT YOUR OWN RISK!!! **
> ==================================================
>
> (Replace ip.address(n).to.block with the known IP address
> of each suspected attacker).
>
> # Log attack attempts from know IP address1
> IPTABLES -A INPUT -s ip.address1.to.block -j LOG \
> --log-prefix 'DROPPED PKTS FROM ip.address1.to.block '
>
> # drop ALL packets from this address1
> IPTABLES -A INPUT -s ip.address1.to.block -j DROP
>
>
> # Log attack attempts from know IP address2
> IPTABLES -A INPUT -s ip.address2.to.block -j LOG \
> --log-prefix 'DROPPED PKTS FROM ip.address2.to.block '
>
> # drop ALL packets from this address2
> IPTABLES -A INPUT -s ip.address2.to.block -j DROP
>
>
> # Log attack attempts from know IP address3
> IPTABLES -A INPUT -s ip.address3.to.block -j LOG \
> --log-prefix 'DROPPED PKTS FROM ip.address3.to.block '
>
> # drop ALL packets from this address3
> IPTABLES -A INPUT -s ip.address3.to.block -j DROP
>
>
> see man iptables for more information if required.
>
>
> HTH - Keith Roberts
>
>
>
>
>
>
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
>
>
>
>


< Previous Next >
This Thread
References