[Techtalk] How to block ports

Erin Kolp erinlea80 at gmail.com
Sat May 17 15:42:47 UTC 2008 

On the subject of IPTables and all that good stuff.. :)

You may want to look into Fail2Ban -- A set of Python scripts that  
constantly checks log files for failed authentications on ports/ 
services you define. When a number of failed attempts is reached,  
Fail2Ban automatically blocks the remote host using IPTABLES and  
emails you a brief summary.

http://www.fail2ban.org/wiki/index.php/Main_Page

I've been using it for a couple of months and have had no issues with  
it. See below for one of the ftp ban reports.

Hope this helps! :)

-Erin



----- snip! ------

Hi,

The IP 124.42.35.196 has just been banned by Fail2Ban after
5 attempts against VSFTPD.


Here are more information about 124.42.35.196:

[Querying whois.arin.net]
[whois.arin.net]

OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC
Address:    PO Box 2131
City:       Milton
StateProv:  QLD
PostalCode: 4064
Country:    AU

ReferralServer: whois://whois.apnic.net

NetRange:   124.0.0.0 - 124.255.255.255
CIDR:       124.0.0.0/8
NetName:    APNIC-124
NetHandle:  NET-124-0-0-0-1
Parent:
NetType:    Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
Comment:    This IP address range is not registered in the ARIN  
database.
Comment:    For details, refer to the APNIC Whois Database via
Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment:    for the Asia Pacific region. APNIC does not operate networks
Comment:    using this IP address range and is not able to investigate
Comment:    spam or abuse reports relating to these addresses. For more
Comment:    help, refer to http://www.apnic.net/info/faq/abuse
RegDate:    2005-01-27
Updated:    2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName:   APNIC Whois Contact
OrgTechPhone:  +61 7 3858 3188
OrgTechEmail:  search-apnic-not-arin at apnic.net

# ARIN WHOIS database, last updated 2008-05-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Regards,

Fail2Ban






On May 17, 2008, at 11:05 AM, Vonda wrote:
>
>
> kp wrote:
>> For ip tables check this link
>> http://www.justlinux.com/nhf/Security/IPtables_Basics.html
>>
>> if you want to allow particular ip addresses, you can edit
>> /etc/hosts.allow and /etc/hosts.deny files.
>>
>>
>> kp
>>
>>
>
>
> Thanks for that useful link.  I got two-thirds through it before my  
> head
> started to hurt - a new record, I think.  Far enough that it looks  
> like
> I'll be able deny, er, drop, all those 202 addresses, plus the one  
> on my
> own lan that firestarter says keeps trying to sneak on.
>
>
> I'm using hostdeny/allow in paranoid mode, with just my two other
> networked office machines allowed access, but I understand iptables is
> more effective.  I'm -really-  paranoid.
>
>
> Definitely going to have to hunt up that networking cookbook, though.
> I'd really like to know who on our lan keeps trying to sneak onto my
> office linux computer.
>
>
> Vonda
>
>
>> Carla Schroder wrote:
>>
>>> On Friday 16 May 2008 2:29:07 pm Vonda wrote:
>>>
>>>
>>>> Hello, Carla,
>>>>
>>>>
>>>> Ruh-roh - now my eqo hurts.   That looks just like my netstat  
>>>> output
>>>> (not actual addresses) .  Good catch!
>>>>
>>>>
>>>> Vonda
>>>>
>>>>
>>> Heh, no worries. It's always better to ask, it's not like we're  
>>> born knowing
>>> this guff.
>>>
>>> On a bit of a tangent, but perhaps still useful, man iptables is  
>>> totally
>>> unhelpful for learning iptables. Even so, iptables basics aren't  
>>> that hard to
>>> figure out, if you ever decide you want to dig into it. The key  
>>> is ignoring
>>> the whizbang gurus who like to spend their days writing  
>>> overcomplicated rules
>>> for every last little thing, and just concentrate on the  
>>> fundamentals. Oskar
>>> Andreasson's tutorial is good
>>> http://iptables-tutorial.frozentux.net/
>>>
>>> And of course I modestly recommend my own Linux Networking  
>>> Cookbook, which has
>>> a fabulous chapter devoted to iptables firewalls.
>>>
>>> For simple needs, Firestarter is great. It's what I recommend for  
>>> folks who
>>> want something basic and easy, and works right.
>>>
>>> Carla
>>>
>>>
>>>
>>
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>
>>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list