How do I blacklist an IP?

vischa · 03-29-2009, 06:56 AM

I have a server setup that is getting repeatedly hit by the same IP address it has tried accessing my vsftp and /drupal/cron.php. For security reason I have disabled vsftpd while I am not using it. The webserver on the other hand I need to leave running.

Code:

 --------------------- pam_unix Begin ------------------------ 

 vsftpd:
    Unknown Entries:
       check pass; user unknown: 2708 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=211.161.251.123 : 2282 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=adminitrator rhost=211.161.251.123 : 426 Time(s)
 
 
 ---------------------- pam_unix End -------------------------

I would like to be able to add the ip to a blacklist.
Additionally I would like to whitelist my own ip when I am working remotely, my remote location doesn't match my reverse dns and my server gives me an error at the end of the day that someone (myself) might be trying to break in.

Running Fedora Core 9 in case it matters.

JulianTosh · 03-29-2009, 07:54 AM

Can you post your current iptables configuration?

'iptables -L -n --line-numbers'

Does your remote address (white list) change?

lucianosousa · 03-30-2009, 12:28 PM

Quote:

Originally Posted by vischa

I have a server setup that is getting repeatedly hit by the same IP address it has tried accessing my vsftp and /drupal/cron.php. For security reason I have disabled vsftpd while I am not using it. The webserver on the other hand I need to leave running.

Code:

 --------------------- pam_unix Begin ------------------------ 

 vsftpd:
    Unknown Entries:
       check pass; user unknown: 2708 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=211.161.251.123 : 2282 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=adminitrator rhost=211.161.251.123 : 426 Time(s)
 
 
 ---------------------- pam_unix End -------------------------

I would like to be able to add the ip to a blacklist.
Additionally I would like to whitelist my own ip when I am working remotely, my remote location doesn't match my reverse dns and my server gives me an error at the end of the day that someone (myself) might be trying to break in.

Running Fedora Core 9 in case it matters.

you can deny access to /etc/hosts.deny and register for access to /etc/hosts.allow.

att: Luciano Sousa

vischa · 03-31-2009, 07:16 PM

I have implemented using the hosts.allow and hosts.deny files but here is my iptables

Code:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
9    BLACKLIST  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain BLACKLIST (1 references)
num  target     prot opt source               destination

JulianTosh · 04-01-2009, 11:07 PM

Just curious, have you confirmed that vsftp is linked to the tcpwrappers library? If it's not, then it's not going to reference the entries in host.allow/deny that you've set up.

Also, is there a specific reason you went with tcpwrappers for white/black listing this service as opposed to iptables? Again, just curious.