Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Re: [suse-security] Deny IP address's
  • From: "Mark Perry" <PERRY@xxxxxxxxxx>
  • Date: Wed, 30 Jul 2003 09:51:47 +0200
  • Message-id: <OF9ECD9E3B.97E8B560-ONC1256D73.002AC63A-C1256D73.002B61D5@xxxxxxxxxx>

Hi All,
the idea seems sound to me, however shouldn't these new rules be insert at
the beginning of the INPUT chain using "iptables -I" rather than "iptables
-A"?
(Otherwise there is the possibility that an earlier rule make actually
accept the packet.)

In either case if a script why not use the power of scripting to simplify
the task, pass the ip address(es) as parms to the script and use a for loop
to index through each passed ip address:

#!/bin/bash
for x in $@
do
iptables -I blah blah blah -s $x blah blah blah
done

Such a script could then be invoked whenever necessary and with as many ip
addresses as required.

All the Best / Mit Freundlichen Gruessen
Mark G. Perry

IBM Germany Development GmbH / IBM Deutschland Entwicklung GmbH
Schoenaicher Strasse 220, 71032 Boeblingen, Germany
Email/Sametime: perry@xxxxxxxxxx
Office Tel: (+49)-7031-16-3626


Nigel Gaylard wrote:

>Hi All
>
>I would like to create a list of IP address's that should be denied all
>access to my server. I have currently 2 or 3 people making a deliberate
>effort to hack into my SSH port, and so I would like to deny them access
to
>it at firewall level, as well as all other ports.

The following may do the trick and log and drop all attacks
coming in through the INPUT chain, FROM THE SPECIFIED IP
ADDRESSES ONLY.

You should be able to add this to your existing Firewall
rules.

i.e. don't clear what you already have in IPtables rules.

Just make this into an executable script and run it WITHOUT
flushing your current rules.

==================================================
THIS IS JUST A QUICK FIX - MAY NEED TO BE MODIFIED
** TEST FIRST AND USE AT YOUR OWN RISK!!! **
==================================================

(Replace ip.address(n).to.block with the known IP address
of each suspected attacker).

# Log attack attempts from know IP address1
IPTABLES -A INPUT -s ip.address1.to.block -j LOG \
--log-prefix 'DROPPED PKTS FROM ip.address1.to.block '

# drop ALL packets from this address1
IPTABLES -A INPUT -s ip.address1.to.block -j DROP


# Log attack attempts from know IP address2
IPTABLES -A INPUT -s ip.address2.to.block -j LOG \
--log-prefix 'DROPPED PKTS FROM ip.address2.to.block '

# drop ALL packets from this address2
IPTABLES -A INPUT -s ip.address2.to.block -j DROP


# Log attack attempts from know IP address3
IPTABLES -A INPUT -s ip.address3.to.block -j LOG \
--log-prefix 'DROPPED PKTS FROM ip.address3.to.block '

# drop ALL packets from this address3
IPTABLES -A INPUT -s ip.address3.to.block -j DROP


see man iptables for more information if required.


HTH - Keith Roberts









--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here






< Previous Next >
This Thread
Follow Ups