FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-10-2010, 08:30 PM
"Bob Hoffman"
 
Default Iptables questions

Hello,

I have read and seen many options for additions to Iptables as a firewall
and security system. All seem to react to logs and not to incoming packets
(as far as I have seen)

I am interested in doing a number of security ideas to the firewall,
iptables, on my webserver. If you have a program you would suggest or
believe iptables is the proper solution, please feel free to post that.

Here are some of the things I would like to do

1) I have switched my SSH to a different port. I would like to still check
for anyone trying to hit the old port 22 and log them. At the same time add
them to a reject/ban for a certain period of time, lets say 1 day.

2) there are certain apache hacks (like things that include ../) that I
would prefer to stop at the firewall. I would also like to log these
attempts and begin a reject/ban for a certain period of time. Or just log
until I figure out the best way to safely ban.

3) There are common script kiddie hacks that look for certain files 1
million times a day. I would like to either look for them in the incoming
packets, log, and ban. Or I would like to be able to use my own php program
to route them out and then add to a ban list that iptables can use.


These are just some of the things I am looking at doing. I also want to
start a ban list for mail packets too, why bog down sendmail when I know
what they are?


I realize some things might be done via programs like fail2ban (like my php
program making a list) but others would be better at the firewall as active
reaction security measures.


Any input kindly accepted.

Thank you for any help or ideas.


Bob

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 08:40 PM
Whit Blauvelt
 
Default Iptables questions

On Tue, Aug 10, 2010 at 04:30:16PM -0400, Bob Hoffman wrote:

> I am interested in doing a number of security ideas to the firewall,
> iptables, on my webserver. If you have a program you would suggest or
> believe iptables is the proper solution, please feel free to post that.

For a set of useful components you might look here:

http://www.gentoo.org/proj/en/dynfw.xml

Not a complete solution, but very useful options for dropping, blocking or
rate limiting specific remote IPs at the firewall, that are consistent with
varied iptables setups, and can be easily called from whatever scripts
you're using to identify bad IPs.

Regards,
Whit
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 08:58 PM
kalinix
 
Default Iptables questions

On Tue, 2010-08-10 at 16:30 -0400, Bob Hoffman wrote:
> Hello,
>
> I have read and seen many options for additions to Iptables as a firewall
> and security system. All seem to react to logs and not to incoming packets
> (as far as I have seen)
>
> I am interested in doing a number of security ideas to the firewall,
> iptables, on my webserver. If you have a program you would suggest or
> believe iptables is the proper solution, please feel free to post that.
>
> Here are some of the things I would like to do
>
> 1) I have switched my SSH to a different port. I would like to still check
> for anyone trying to hit the old port 22 and log them. At the same time add
> them to a reject/ban for a certain period of time, lets say 1 day.
>
> 2) there are certain apache hacks (like things that include ../) that I
> would prefer to stop at the firewall. I would also like to log these
> attempts and begin a reject/ban for a certain period of time. Or just log
> until I figure out the best way to safely ban.
>
> 3) There are common script kiddie hacks that look for certain files 1
> million times a day. I would like to either look for them in the incoming
> packets, log, and ban. Or I would like to be able to use my own php program
> to route them out and then add to a ban list that iptables can use.
>
>
> These are just some of the things I am looking at doing. I also want to
> start a ban list for mail packets too, why bog down sendmail when I know
> what they are?
>
>
> I realize some things might be done via programs like fail2ban (like my php
> program making a list) but others would be better at the firewall as active
> reaction security measures.
>
>
> Any input kindly accepted.
>
> Thank you for any help or ideas.
>
>
> Bob
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

OSSEC

http://www.ossec.net/


not exactly 'real-time', though, as it has to parse the logs.

--


Calin

Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857

=================================================
Putt's Law: Technology is dominated by two types of people: Those who
understand what they do not manage. Those who manage what they do not
understand.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 09:33 PM
John R Pierce
 
Default Iptables questions

On 08/10/10 1:30 PM, Bob Hoffman wrote:
> 1) I have switched my SSH to a different port. I would like to still check
> for anyone trying to hit the old port 22 and log them. At the same time add
> them to a reject/ban for a certain period of time, lets say 1 day.

If nothing is listening on that port, then whats to 'ban' ?


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 10:07 PM
Benjamin Donnachie
 
Default Iptables questions

On 10 Aug 2010, at 22:33, John R Pierce <pierce@hogranch.com> wrote:
> If nothing is listening on that port, then whats to 'ban' ?

I experimented with something similar - wrote a small C program that
listened on port 22, dumped the source IP to a log which was then
picked up by fail2ban.

Worked quite well if remember correctly!

Ben
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 10:08 PM
Keith Roberts
 
Default Iptables questions

On Tue, 10 Aug 2010, John R Pierce wrote:

> To: CentOS mailing list <centos@centos.org>
> From: John R Pierce <pierce@hogranch.com>
> Subject: Re: [CentOS] Iptables questions
>
> On 08/10/10 1:30 PM, Bob Hoffman wrote:
>> 1) I have switched my SSH to a different port. I would like to still check
>> for anyone trying to hit the old port 22 and log them. At the same time add
>> them to a reject/ban for a certain period of time, lets say 1 day.
>
> If nothing is listening on that port, then whats to 'ban' ?

I think what Bob wants to do is to move his sshd to another
non-standard port, and leave port 22 open. Then see what's
trying to access that. I guess you could run another
'dummy-sshd' type program to listen on port 22, in place of
the real sshd, and then log all incoming packets on that
port?

IIRC sshd logs all connection attempts anyway?

IPtables can log packets coming in to any particular port. I
don't think the port needs to be open for IPtables to log a
packet headed for that particular port?

I log ALL packets coming into my firewall, and then purge the
logs with a cron job every 24 hours.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.php-debuggers.net
http://www.karsites.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------



>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 10:30 PM
Scott Silva
 
Default Iptables questions

on 8-10-2010 3:08 PM Keith Roberts spake the following:
> On Tue, 10 Aug 2010, John R Pierce wrote:
>
>> To: CentOS mailing list <centos@centos.org>
>> From: John R Pierce <pierce@hogranch.com>
>> Subject: Re: [CentOS] Iptables questions
>>
>> On 08/10/10 1:30 PM, Bob Hoffman wrote:
>>> 1) I have switched my SSH to a different port. I would like to still check
>>> for anyone trying to hit the old port 22 and log them. At the same time add
>>> them to a reject/ban for a certain period of time, lets say 1 day.
>>
>> If nothing is listening on that port, then whats to 'ban' ?
>
> I think what Bob wants to do is to move his sshd to another
> non-standard port, and leave port 22 open. Then see what's
> trying to access that. I guess you could run another
> 'dummy-sshd' type program to listen on port 22, in place of
> the real sshd, and then log all incoming packets on that
> port?
>
> IIRC sshd logs all connection attempts anyway?
>
> IPtables can log packets coming in to any particular port. I
> don't think the port needs to be open for IPtables to log a
> packet headed for that particular port?
>
> I log ALL packets coming into my firewall, and then purge the
> logs with a cron job every 24 hours.
>
> Kind Regards,
>
> Keith Roberts
A tarpit would be good on there... Answer the port and just trickle back the
handshake to keep the client waiting for a long time


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 11:12 PM
"Bob Hoffman"
 
Default Iptables questions

Forgive me if this does not go with the right topic, I am on digest and
responding to a topic sometimes makes it start a new one.

My reason for the iptables questions is to not follow the practice of
putting up a wall and ignoring hackers.
I want to be more proactive.

If I have set my ssh port to 55994 and am not using port 22, but hackers are
pounding on my port 22 looking for
Ssh, then I want to not only know about it, I want to log them and prevent
them access to my server and web applications.
At least temporarily.

I see now that many of the programs are log users and not real time. And
many like fail2ban actually add chains to iptables that I
Could do myself. It looks like getting some books on netfilter may be the
way to go.

I would rather stop stuff at the firewall then trust apache, php, sendmail,
vsftp, etc. I would rather use them as back up failsafes while I work on
hack proofing the single point of entry.

I have a server sitting right on the net and the constant barrage of 100s of
Ips trying thousands of times at port 22 is insane.
I examine my logs and see so much in the way of dns posion attacks,
ssh-mail-ftp, etc attacks that I do not want to just sit back and
Think I am fine because I have a firewall and centos will send me bug fixes.

That firewall seems like the 100% way of going at stopping and preventing
issues.
If an IP is doing something it should not be doing, most likely you do not
want it probing anything else either.


That's why I ask.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-10-2010, 11:42 PM
Whit Blauvelt
 
Default Iptables questions

On Tue, Aug 10, 2010 at 07:12:59PM -0400, Bob Hoffman wrote:

> I have a server sitting right on the net and the constant barrage of 100s of
> Ips trying thousands of times at port 22 is insane.

You're quite sane. Anyone likely to hit your ssh at its new port is likely
to try port 22 first. So if they show up there first, blocking them is good
- unless you have legitimate users who may forget to go to your special port
and so get locked out after trying the default port first.

There are several packages that integrate port scanning detection with
iptables rule generation. One such is here:

http://cipherdyne.org/psad/

- Whit
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-11-2010, 12:26 AM
kalinix
 
Default Iptables questions

From the iptables manual:

recent
Allows you to dynamically create a list of IP addresses and then
match against that list in a few different ways.
For example, you can create a "badguy" list out of people
attempting to connect to port 139 on your firewall and then DROP all
future packets from them without considering them.

[...]

Steve’s ipt_recent website (http://snowman.net/projects/ipt_recent/)
also has some examples of usage.





I think that's what you were looking for

--


Calin

Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857

=================================================
What's so funny?

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:48 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org