LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-29-2009, 06:56 AM   #1
vischa
LQ Newbie
 
Registered: Nov 2008
Location: Colorado
Distribution: Fedora Core 9
Posts: 5

Rep: Reputation: 1
Question How do I blacklist an IP?


I have a server setup that is getting repeatedly hit by the same IP address it has tried accessing my vsftp and /drupal/cron.php. For security reason I have disabled vsftpd while I am not using it. The webserver on the other hand I need to leave running.

Code:
 --------------------- pam_unix Begin ------------------------ 

 vsftpd:
    Unknown Entries:
       check pass; user unknown: 2708 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=211.161.251.123 : 2282 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=adminitrator rhost=211.161.251.123 : 426 Time(s)
 
 
 ---------------------- pam_unix End -------------------------
I would like to be able to add the ip to a blacklist.
Additionally I would like to whitelist my own ip when I am working remotely, my remote location doesn't match my reverse dns and my server gives me an error at the end of the day that someone (myself) might be trying to break in.

Running Fedora Core 9 in case it matters.
 
Old 03-29-2009, 07:54 AM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Can you post your current iptables configuration?

'iptables -L -n --line-numbers'

Does your remote address (white list) change?
 
Old 03-30-2009, 12:28 PM   #3
lucianosousa
LQ Newbie
 
Registered: Mar 2009
Distribution: Slackware
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by vischa View Post
I have a server setup that is getting repeatedly hit by the same IP address it has tried accessing my vsftp and /drupal/cron.php. For security reason I have disabled vsftpd while I am not using it. The webserver on the other hand I need to leave running.

Code:
 --------------------- pam_unix Begin ------------------------ 

 vsftpd:
    Unknown Entries:
       check pass; user unknown: 2708 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=Administrator rhost=211.161.251.123 : 2282 Time(s)
       authentication failure; logname= uid=0 euid=0 tty=ftp ruser=adminitrator rhost=211.161.251.123 : 426 Time(s)
 
 
 ---------------------- pam_unix End -------------------------
I would like to be able to add the ip to a blacklist.
Additionally I would like to whitelist my own ip when I am working remotely, my remote location doesn't match my reverse dns and my server gives me an error at the end of the day that someone (myself) might be trying to break in.

Running Fedora Core 9 in case it matters.
you can deny access to /etc/hosts.deny and register for access to /etc/hosts.allow.

att: Luciano Sousa
 
Old 03-31-2009, 07:16 PM   #4
vischa
LQ Newbie
 
Registered: Nov 2008
Location: Colorado
Distribution: Fedora Core 9
Posts: 5

Original Poster
Rep: Reputation: 1
I have implemented using the hosts.allow and hosts.deny files but here is my iptables
Code:
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
8    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
9    BLACKLIST  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain BLACKLIST (1 references)
num  target     prot opt source               destination
 
Old 04-01-2009, 11:07 PM   #5
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
Just curious, have you confirmed that vsftp is linked to the tcpwrappers library? If it's not, then it's not going to reference the entries in host.allow/deny that you've set up.

Also, is there a specific reason you went with tcpwrappers for white/black listing this service as opposed to iptables? Again, just curious.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix blacklist crxssi Linux - Server 7 09-23-2009 02:34 PM
?Odd bug. modprobe.blacklist~ behaves as modprobe.blacklist arubin Slackware 1 11-05-2006 07:08 PM
spamassassin blacklist stomach Linux - Software 1 02-08-2006 04:37 PM
a blacklist for hal? evans0409 Linux - Software 12 02-05-2006 09:29 PM
'blacklist' WARNING JerryP Mandriva 5 12-01-2005 06:47 PM


All times are GMT -5. The time now is 09:26 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration