FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-26-2011, 11:45 AM
"Jennifer Botten"
 
Default Hacking Issue

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf
Of Jorge Fábregas
Sent: 26 September 2011 01:09 PM
To: centos@centos.org
Subject: Re: [CentOS] Hacking Issue

On 09/26/2011 07:02 AM, Jennifer Botten wrote:
> -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP

This needs to be:

-A OUTPUT -i eth0 -d 209.61.231.42 -p udp -j DROP

...if you want to drop packets initiated from your system to that
ip...which doesn't make any sense if you're dropping all the incoming
connection from that ip.

On why are you still getting packets from that ip... perhaps there's
also TCP traffic? If you want to completely drop packets from that ip
simply remove the protocol argument like this:

-A INPUT -i eth0 -s 209.61.231.42 -j DROP

HTH,
Jorge
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Hi Jorge,

I am blocking UDP and TCP from that IP. I also have an OUTPUT rule however
mine has the -o eth0 as the -i eth0 does not work.

Regards
Jennifer

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 12:00 PM
Jorge Fábregas
 
Default Hacking Issue

On 09/26/2011 07:45 AM, Jennifer Botten wrote:
> I am blocking UDP and TCP from that IP. I also have an OUTPUT rule however
> mine has the -o eth0 as the -i eth0 does not work.

Yes, I had it wrong. For the OUTPUT chain you use the -o ethX. Perhaps
you have an ALLOW rule for udp or some other criteria BEFORE the actual
DROP? How do you determine that it is not working?

Also, please follow the common rules when posting

1) don't use html
2) quote properly (look at how I am replying)

Regards,
Jorge
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 02:14 PM
Keith Roberts
 
Default Hacking Issue

On Mon, 26 Sep 2011, Jennifer Botten wrote:

> To: centos@centos.org
> From: Jennifer Botten <jennifer@etech.co.za>
> Subject: [CentOS] Hacking Issue
>
> Hi,
>
>
>
> I am having an issue with someone accessing our server via a SIP/VOIP
> connection. I have changed my iptables rules to drop all UDP traffic from
> and too this IP address, but this traffic seems to still run through my
> server. These are the iptables rules that I current have on the server.
>
> -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
>
> -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP

You might find it helps to analyse this traffic with a
network analyser, like Wireshark. That would allow you to
see in almost real time what is happening on the line.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.karsites.net
http://www.php-debuggers.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 02:31 PM
Micky L Martin
 
Default Hacking Issue

I would use an '-I' instead of '-A' if its a case of blocking an intruder.
You can use tcpdump and 'ss -l' as well.
Check out the application logs, try to see what's the*intruder*is up to!




On Mon, Sep 26, 2011 at 7:14 AM, Keith Roberts <keith@karsites.net> wrote:

On Mon, 26 Sep 2011, Jennifer Botten wrote:



> To: centos@centos.org

> From: Jennifer Botten <jennifer@etech.co.za>

> Subject: [CentOS] Hacking Issue

>

> Hi,

>

>

>

> I am having an issue with someone accessing our server via a SIP/VOIP

> connection. I have changed my iptables rules to drop all UDP traffic from

> and too this IP address, but this traffic seems to still run through my

> server. These are the iptables rules that I current have on the server.

>

> -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP

>

> -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP



You might find it helps to analyse this traffic with a

network analyser, like Wireshark. That would allow you to

see in almost real time what is happening on the line.



Kind Regards,



Keith Roberts



-----------------------------------------------------------------

Websites:

http://www.karsites.net

http://www.php-debuggers.net

http://www.raised-from-the-dead.org.uk



All email addresses are challenge-response protected with

TMDA [http://tmda.net]

-----------------------------------------------------------------

_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 04:06 PM
Theo Band
 
Default Hacking Issue

On 09/26/2011 01:02 PM, Jennifer Botten wrote:
>
> Hi,
>
>
>
> I am having an issue with someone accessing our server via a SIP/VOIP
> connection. I have changed my iptables rules to drop all UDP traffic
> from and too this IP address, but this traffic seems to still run
> through my server. These are the iptables rules that I current have on
> the server.
>
> -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
>
> -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
>
>
If your SIP server needs to be accessed from any IP address, consider to
use fail2ban. Easy to setup and it will block access to your SIP server
after so many false attempts.
I started using fail2ban to prevent the logs (Asterisk) from cluttering
failed logons.

Theo
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 05:10 PM
 
Default Hacking Issue

Theo Band wrote:
> On 09/26/2011 01:02 PM, Jennifer Botten wrote:
>>
>> I am having an issue with someone accessing our server via a SIP/VOIP
>> connection. I have changed my iptables rules to drop all UDP traffic
>> from and too this IP address, but this traffic seems to still run
>> through my server. These are the iptables rules that I current have on
>> the server.
>>
>> -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
>>
>> -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
>>
>>
> If your SIP server needs to be accessed from any IP address, consider to
> use fail2ban. Easy to setup and it will block access to your SIP server
> after so many false attempts.
> I started using fail2ban to prevent the logs (Asterisk) from cluttering
> failed logons.

Let me chime in: *yes* to fail2ban. We use it here at work, and it works,
and is very good. Not too hard to configure for basic usage, either, but
very extensible.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-27-2011, 12:11 PM
Micky L Martin
 
Default Hacking Issue

On Mon, Sep 26, 2011 at 10:10 AM, <m.roth@5-cent.us> wrote:

> Theo Band wrote:
> > On 09/26/2011 01:02 PM, Jennifer Botten wrote:
> >>
> >> I am having an issue with someone accessing our server via a SIP/VOIP
> >> connection. I have changed my iptables rules to drop all UDP traffic
> >> from and too this IP address, but this traffic seems to still run
> >> through my server. These are the iptables rules that I current have on
> >> the server.
> >>
> >> -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
> >>
> >> -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
> >>
> >>
> > If your SIP server needs to be accessed from any IP address, consider to
> > use fail2ban. Easy to setup and it will block access to your SIP server
> > after so many false attempts.
> > I started using fail2ban to prevent the logs (Asterisk) from cluttering
> > failed logons.
>
> Let me chime in: *yes* to fail2ban. We use it here at work, and it works,
> and is very good. Not too hard to configure for basic usage, either, but
> very extensible.
>
> mark
>
>

I use CSF and LFD. Like every other firewall, the backend is always iptables
but CSF is so powerful and has a lot of irreplaceable power and
functionality.
It can be a bit of difficult to configure it for the first time but when you
do, you will never look back

-Micky.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org