LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-10-2009, 06:24 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
getting iptables to pick up isp name


Is there a way for iptables to check the isp name in the connection?
 
Old 08-10-2009, 07:17 AM   #2
vishesh
Member
 
Registered: Feb 2008
Distribution: Fedora,RHEL,Ubuntu
Posts: 661

Rep: Reputation: 66
I think iptables can resolve only name which can be resolved by dns or /etc/hosts

Thanks
 
Old 08-10-2009, 07:28 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by qwertyjjj View Post
Is there a way for iptables to check the isp name in the connection?
What are you trying to accomplish?
 
Old 08-10-2009, 07:31 AM   #4
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
What are you trying to accomplish?
Since I cannot control the access to port 22 via a web interface, I have to permanently leave it open so I can connect via SSH. I am trying to restrict access to that port so that it can only be accessed from my computer.
My IP is dynamic because the ISP changes whenever a new broadband connection is made so I thought I could use the ISP name as an extra safeguard.
 
Old 08-10-2009, 08:10 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
What do you mean by an ISP name? How can your ISP change every time??? your IP might change... but your ISP? BT? Sky? O2? PlusNET?

iptables doesn't use DNS entries as it requires an external piece of information to make it's call on whether the line matches. This can be disastrous from the extra latency a reverse DNS lookup would add.

You can obtain lists of ISP client subnets to restrict it so that only an IP from a certain ISP can get in, but that's pretty shitty really, and there and many many much better solutions, like authenticating with a preshared key which you keep on the client PC or on a memory stick.

Also, systems like fail2ban will automatically block any client IP which appears to be trying to break into the system by brute force and the likes.
 
Old 08-10-2009, 08:13 AM   #6
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by acid_kewpie View Post
What do you mean by an ISP name? How can your ISP change every time??? your IP might change... but your ISP? BT? Sky? O2? PlusNET?

iptables doesn't use DNS entries as it requires an external piece of information to make it's call on whether the line matches. This can be disastrous from the extra latency a reverse DNS lookup would add.

You can obtain lists of ISP client subnets to restrict it so that only an IP from a certain ISP can get in, but that's pretty shitty really, and there and many many much better solutions, like authenticating with a preshared key which you keep on the client PC or on a memory stick.

Also, systems like fail2ban will automatically block any client IP which appears to be trying to break into the system by brute force and the likes.
ok.
I have 2 lines in my iptables file which restrict users to 8 login attempts per minute via SSH. That should be enough to stop brute force attacks. The port is left open though...
?
 
Old 08-10-2009, 08:18 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by qwertyjjj View Post
Since I cannot control the access to port 22 via a web interface, I have to permanently leave it open so I can connect via SSH.
With all due respect but please do not confuse using something wizard-like or anything like a webbased server management panel for having the required knowledge. I acknowledge it makes for a steep learning curve with half of the time spent reading documents, but it would be way better to learn how to admin a server properly from the commandline before using a panel because then you know what it can do (and cause) and how to fix fsck-ups properly. Did you read your distributions basic documentation? A generic tutorial like Rute?


Quote:
Originally Posted by qwertyjjj View Post
I am trying to restrict access to that port so that it can only be accessed from my computer. My IP is dynamic because the ISP changes whenever a new broadband connection is made so I thought I could use the ISP name as an extra safeguard.
Multiple things to do here. Make sure you 0) use an unprivileged user account to log in with over SSH (never root), 1) use SSH's public key authentication instead of a password, 2) setup your unprivileged user account to perform admin tasks using Sudo (or add it to the wheel group though Sudo is preferred), 3) disallow root login in /etc/ssh/sshd_config, 4) optionally allow your unprivileged user account to use SSH (see "AllowUsers" and "AllowGroups" directives in 'man sshd_config'), 5) set up iptables rules to allow SSH traffic from and to your ISP's IP range (might be a class B looking like "88.99.0.0/16") and 6) set up fail2ban.
 
Old 08-10-2009, 08:25 AM   #8
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Is this not enough?

Code:
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
-A INPUT -d IP.IP.IP.IP -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
 
Old 08-10-2009, 08:45 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by qwertyjjj View Post
Is this not enough?
No.


Quote:
Originally Posted by qwertyjjj View Post
Code:
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
This ruleset tells iptables to drop any new SSH connections (regardless of the source IP/range) when it meets certain conditions. While this would exempt your hypothetical ISP IP range "88.99.0.0/16" from subjecting it to the -m recent:
Code:
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
it leaves the machine vulnerable from your hypothetical ISP IP range "88.99.0.0/16". But because you implement multiple layers of security this mitigates the risk.


Quote:
Originally Posted by qwertyjjj View Post
Code:
-A INPUT -d IP.IP.IP.IP -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
This rule tells iptables to allow any new SSH connections if it matches the destination IP. You don't need destination matches unless you have to make certain traffic doesn't cross over between different interfaces.
 
Old 08-10-2009, 08:51 AM   #10
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
No.



This ruleset tells iptables to drop any new SSH connections (regardless of the source IP/range) when it meets certain conditions. While this would exempt your hypothetical ISP IP range "88.99.0.0/16" from subjecting it to the -m recent:
Code:
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --set --name SSH
-A INPUT -i eth0 -p tcp --dport 22 -s ! 88.99.0.0/16 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
it leaves the machine vulnerable from your hypothetical ISP IP range "88.99.0.0/16". But because you implement multiple layers of security this mitigates the risk.



This rule tells iptables to allow any new SSH connections if it matches the destination IP. You don't need destination matches unless you have to make certain traffic doesn't cross over between different interfaces.
I have 2 IP addresses for my server.
1 I use for all the public stuff, squid, apache, etc.
The other I use for SSH and admin only.
Hence the exact IP destination on that IP only.

Does ruleset drop all new SSH connections or only limits it to 8 per minute. Any brute force attacker wouldn't bother if they could only attempt a login 8 times per minute?
However, I will have a look at fail2ban but I was worried about some users forgetting their proxy password and being permanently banned.

Is the /16 the range?
 
Old 08-10-2009, 09:23 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by qwertyjjj View Post
I have 2 IP addresses for my server.
1 I use for all the public stuff, squid, apache, etc.
The other I use for SSH and admin only.
Hence the exact IP destination on that IP only.
Thanks for clarifying. That teaches me to not forget to ask for that kind of information before anything else.


Quote:
Originally Posted by qwertyjjj View Post
Does ruleset drop all new SSH connections or only limits it to 8 per minute.
It tallies new connections per IP address and drops them if they reach the "--hitcount 8" threshold.


Quote:
Originally Posted by qwertyjjj View Post
Any brute force attacker wouldn't bother if they could only attempt a login 8 times per minute?
Best not base measures to take on assumptions.


Quote:
Originally Posted by qwertyjjj View Post
I will have a look at fail2ban but I was worried about some users forgetting their proxy password and being permanently banned.
Something is either on or off, and as such computing makes things easy: a condition exists or it doesn't, it either works or it doesn't. Wrt knowledge likewise: you have it or you don't. Luckily reading the fail2ban documentation will fix that.


Quote:
Originally Posted by qwertyjjj View Post
Is the /16 the range?
If you mean notation, yes, you can use "n.n.0.0/16"-type of notation in iptables.
 
Old 08-10-2009, 09:53 AM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
If you mean notation, yes, you can use "n.n.0.0/16"-type of notation in iptables.
So, how would you write the range of IP addresses?
For example 85.xx.xx.00 to 85.xx.xx.999
Someone told me on another post that the /32, ie part after the slash, was for 32 bit computers, etc.
 
Old 08-10-2009, 11:05 AM   #13
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by qwertyjjj View Post
So, how would you write the range of IP addresses? For example 85.xx.xx.00 to 85.xx.xx.999 Someone told me on another post that the /32, ie part after the slash, was for 32 bit computers, etc.
No, 32 bit value as in four bytes meaning the IPv4 address length. Saying 85.86.00.00/16 leaves 0.0.255.255 configurable and so occupies 85.86.00.00 to 85.86.255.255: see the http://en.wikipedia.org/wiki/IPv4_subnetting_reference and the CIDR page for a way better explanation ;-p
 
Old 08-10-2009, 11:08 AM   #14
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Quote:
Originally Posted by qwertyjjj View Post
So, how would you write the range of IP addresses?
For example 85.xx.xx.00 to 85.xx.xx.999
Someone told me on another post that the /32, ie part after the slash, was for 32 bit computers, etc.
No, I said that /32 identified the machine itself, i.e. one single machine, as it defines a network with only a single IP address in it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
One Box ISP Solution To Run An ISP swamprat Linux - Software 1 05-08-2008 07:25 PM
IpTables Help - Hacked by ISP Peter_APIIT Linux - Security 13 06-28-2007 11:18 PM
Iptables deny ISP Peter_APIIT Linux - Security 1 06-20-2007 07:34 AM
Need help with Dual ISP load balancing with IPTables daemonik Linux - Networking 2 12-04-2006 12:54 PM
How to use the ISP nameservers in my IPtables script? piratebiter Linux - General 0 09-02-2003 05:25 PM


All times are GMT -5. The time now is 12:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration