FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 12-02-2008, 09:30 PM
Celejar
 
Default How to stop an active network connection

On Tue, 2 Dec 2008 22:26:04 +0000 (UTC)
T o n g <mlist4suntong@yahoo.com> wrote:

> Hi,
>
> How can I stop an active network connection? e.g.,
>
> $ netstat
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 192.168.0.100:ssh ip-72-55-146-217.:35911
> ESTABLISHED
>
> Because barbarians are pounding at my sshd gate again:

apt-cache show cutter ?

> Tong (remove underscore(s) to reply)

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-02-2008, 10:54 PM
Andrew Reid
 
Default How to stop an active network connection

On Tuesday 02 December 2008 17:26, T o n g wrote:
> Hi,
>
> How can I stop an active network connection? e.g.,
>
> $ netstat
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 192.168.0.100:ssh ip-72-55-146-217.:35911
> ESTABLISHED
>
> Because barbarians are pounding at my sshd gate again:
>
> . . .
> Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217
> Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user
> unknown
> Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=ip-72-55-146-217.static.privatedns.com
> Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad
> from 72.55.146.217 port 42328 ssh2
> . . .
>
> I shut down my sshd daemon, but the network bandwidth did not drop. The
> active connection went away in the netstat output, which is wrong, and
> iftop was able to reveal the still-live connection.

I use a thing called "fail2ban", which will monitor log entries and
dynamically update your firewall to block IP addresses which are the
source of too many failures.

I set it up years ago, and don't recall the specifics, but it's
packaged for Debian, and I recall it being reasonably straightforward
to set up.

The way I have it set up, it will block particular users who
can't get their password right after three tries. I believe it
can also be set up to block particular IP addresses that try
multiple usernames, but I'm not 100% sure.

-- A.
--
Andrew Reid / reidac@bellatlantic.net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-03-2008, 12:26 AM
Alex Samad
 
Default How to stop an active network connection

On Tue, Dec 02, 2008 at 05:30:01PM -0500, Celejar wrote:
> On Tue, 2 Dec 2008 22:26:04 +0000 (UTC)
> T o n g <mlist4suntong@yahoo.com> wrote:
>
> > Hi,
> >
> > How can I stop an active network connection? e.g.,
> >
> > $ netstat
> > Active Internet connections (w/o servers)
> > Proto Recv-Q Send-Q Local Address Foreign Address
> > State
> > tcp 0 0 192.168.0.100:ssh ip-72-55-146-217.:35911
> > ESTABLISHED
> >
> > Because barbarians are pounding at my sshd gate again:
>
> apt-cache show cutter ?

I think cutter only works on routers or machines in the middle of the
tcp conversion

I would suggest using tcpdump to see the traffic on eth0 with somehting
like

tcpdump -pni eth0 -c 100

then you could use iptables to block the connection with something like

iptables -I OUTPUT -d <destination ip> -j REJECT
iptables -I INPUT -s <destination ip> -J REJECT

you could/should add better select with -p and/or --dport or --sport

Alex

>
> > Tong (remove underscore(s) to reply)
>
> Celejar
> --
> mailmin.sourceforge.net - remote access via secure (OpenPGP) email
> ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

--
"If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator."

- George W. Bush
12/19/2000
Washington, DC
 
Old 12-03-2008, 12:43 AM
Raj Kiran Grandhi
 
Default How to stop an active network connection

T o n g wrote:
Hi,


How can I stop an active network connection? e.g.,

$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 192.168.0.100:ssh ip-72-55-146-217.:35911
ESTABLISHED


Because barbarians are pounding at my sshd gate again:

. . .
Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217
Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user
unknown
Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ip-72-55-146-217.static.privatedns.com
Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad
from 72.55.146.217 port 42328 ssh2

. . .

I shut down my sshd daemon, but the network bandwidth did not drop. The
active connection went away in the netstat output, which is wrong, and
iftop was able to reveal the still-live connection.


Just apt-get install denyhosts. It will update the /etc/hosts.deny
everytime it detects an abusive client.




Please help.


thanks





--

If you can't explain it simply, you don't understand it well enough.
-- Albert Einstein


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-03-2008, 02:18 AM
Michael Iatrou
 
Default How to stop an active network connection

When the date was Wednesday 03 December 2008, T o n g wrote:

> Hi,
>
> How can I stop an active network connection? e.g.,

Using iptables(8) you can stop any kind of traffic manually or
automagically, using something like the following (assuming that you
normally accept ssh connections):

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 3600 --hitcount 4 -j DROP

--
Michael Iatrou (fnpk)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 12-03-2008, 05:08 AM
Celejar
 
Default How to stop an active network connection

On Wed, 3 Dec 2008 12:26:49 +1100
Alex Samad <alex@samad.com.au> wrote:

> On Tue, Dec 02, 2008 at 05:30:01PM -0500, Celejar wrote:
> > On Tue, 2 Dec 2008 22:26:04 +0000 (UTC)
> > T o n g <mlist4suntong@yahoo.com> wrote:
> >
> > > Hi,
> > >
> > > How can I stop an active network connection? e.g.,

...

> > apt-cache show cutter ?
>
> I think cutter only works on routers or machines in the middle of the
> tcp conversion

You're right. However, I discovered that tcpkill (in the Debian dsniff
package) works fine, e.g.:

tcpkill -i eth0 dst somehost

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 08:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org