[Techtalk] How to block ports
Erin Kolp
erinlea80 at gmail.com
Sat May 17 15:42:47 UTC 2008
On the subject of IPTables and all that good stuff.. :)
You may want to look into Fail2Ban -- A set of Python scripts that
constantly checks log files for failed authentications on ports/
services you define. When a number of failed attempts is reached,
Fail2Ban automatically blocks the remote host using IPTABLES and
emails you a brief summary.
http://www.fail2ban.org/wiki/index.php/Main_Page
I've been using it for a couple of months and have had no issues with
it. See below for one of the ftp ban reports.
Hope this helps! :)
-Erin
----- snip! ------
Hi,
The IP 124.42.35.196 has just been banned by Fail2Ban after
5 attempts against VSFTPD.
Here are more information about 124.42.35.196:
[Querying whois.arin.net]
[whois.arin.net]
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 124.0.0.0 - 124.255.255.255
CIDR: 124.0.0.0/8
NetName: APNIC-124
NetHandle: NET-124-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN
database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2005-01-27
Updated: 2005-05-20
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin at apnic.net
# ARIN WHOIS database, last updated 2008-05-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Regards,
Fail2Ban
On May 17, 2008, at 11:05 AM, Vonda wrote:
>
>
> kp wrote:
>> For ip tables check this link
>> http://www.justlinux.com/nhf/Security/IPtables_Basics.html
>>
>> if you want to allow particular ip addresses, you can edit
>> /etc/hosts.allow and /etc/hosts.deny files.
>>
>>
>> kp
>>
>>
>
>
> Thanks for that useful link. I got two-thirds through it before my
> head
> started to hurt - a new record, I think. Far enough that it looks
> like
> I'll be able deny, er, drop, all those 202 addresses, plus the one
> on my
> own lan that firestarter says keeps trying to sneak on.
>
>
> I'm using hostdeny/allow in paranoid mode, with just my two other
> networked office machines allowed access, but I understand iptables is
> more effective. I'm -really- paranoid.
>
>
> Definitely going to have to hunt up that networking cookbook, though.
> I'd really like to know who on our lan keeps trying to sneak onto my
> office linux computer.
>
>
> Vonda
>
>
>> Carla Schroder wrote:
>>
>>> On Friday 16 May 2008 2:29:07 pm Vonda wrote:
>>>
>>>
>>>> Hello, Carla,
>>>>
>>>>
>>>> Ruh-roh - now my eqo hurts. That looks just like my netstat
>>>> output
>>>> (not actual addresses) . Good catch!
>>>>
>>>>
>>>> Vonda
>>>>
>>>>
>>> Heh, no worries. It's always better to ask, it's not like we're
>>> born knowing
>>> this guff.
>>>
>>> On a bit of a tangent, but perhaps still useful, man iptables is
>>> totally
>>> unhelpful for learning iptables. Even so, iptables basics aren't
>>> that hard to
>>> figure out, if you ever decide you want to dig into it. The key
>>> is ignoring
>>> the whizbang gurus who like to spend their days writing
>>> overcomplicated rules
>>> for every last little thing, and just concentrate on the
>>> fundamentals. Oskar
>>> Andreasson's tutorial is good
>>> http://iptables-tutorial.frozentux.net/
>>>
>>> And of course I modestly recommend my own Linux Networking
>>> Cookbook, which has
>>> a fabulous chapter devoted to iptables firewalls.
>>>
>>> For simple needs, Firestarter is great. It's what I recommend for
>>> folks who
>>> want something basic and easy, and works right.
>>>
>>> Carla
>>>
>>>
>>>
>>
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>
>>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
More information about the Techtalk
mailing list