LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-09-2012, 08:04 AM   #1
deathsfriend99
Member
 
Registered: Nov 2007
Distribution: CentOS 6
Posts: 164

Rep: Reputation: 19
Block IP's from vsftp


I keep getting brute force attacks from China on my vsftp. They are not going to be successful, but I can't figure out how to just block them. I've added the IP range to hosts.deny and iptables, but I must have done it wrong. I'd like to block all IP's that start with 61.147.

Any advice?

iptables:
Code:
# Simple Firewall configuration
# 
# Set default policies --------
*filter
:FORWARD DROP [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Loopback --------------------
-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT
# Accept established connections
-A INPUT -m state -i eth0 --state ESTABLISHED,RELATED -j ACCEPT
# For FTP server
-A INPUT -p tcp -m state -s 0/0 -d 0/0 -i eth0 --dport 20 --state NEW -j ACCEPT
-A INPUT -p tcp -m state -s 0/0 -d 0/0 -i eth0 --dport 21 --state NEW -j ACCEPT
# PASSIVE DATA CHANNEL
-A INPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT 
#F China!
-A INPUT -p tcp -s 61.147.0.0/20  -j DROP
# Disallow fragmented packets
-A INPUT -i eth0 -f -j DROP
# Log & Block broadcast packets
-A INPUT -d 255.255.255.255/0.0.0.255 -j LOG
-A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
# Log & Block multicast packets
-A INPUT -d 224.0.0.1 -j LOG
-A INPUT -d 224.0.0.1 -j DROP
# Log and drop all other incoming packets
-A INPUT -j LOG
-A INPUT -j DROP
COMMIT
hosts.deny:
Code:
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Version:      @(#)/etc/hosts.deny     1.00    05/28/93
#
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#
ALL:ALL
# F China!
ALL: 61.147.
 
Old 10-09-2012, 08:32 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,286
Blog Entries: 54

Rep: Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854Reputation: 2854
Its beyond what gets parsed for FTP traffic in your filter table.
Since you want a permanent block I'd move it up in the table order:
Code:
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 61.147.0.0/16 -j NOTRACK
-A PREROUTING -s 61.147.0.0/16 -j DROP
COMMIT
*filter
:FORWARD DROP [0:0]
Also note it's a /16 or a /17 and the range does not represent .cn: it's part of the infamous AS4134 which itself comprises of over 900+ prefixes. (BTW wrt Netfilter vs tcp_wrappers also see this.) If you're going to drop many prefixes then I suggest you use ipset instead: it's more secure than tcp_wrappers, easier to manage and doesn't influence parsing iptables rules like having 900 or over would.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Block-by-block HD Latency tester cmxiv Linux - Software 2 05-15-2012 12:34 PM
fsck.ext3 keeps fails with "Error reading block" short read at same block jpletka Linux - Server 2 06-10-2010 02:46 AM
Error reading block "x" (Attempt to read block from....... pvandyk2005 Slackware 6 07-06-2008 05:25 AM
IPTables and PPTPD :S (to block or not to block) thewonka Linux - Networking 0 03-24-2005 06:58 PM
why does shorewall block my websites and vsftp stop postfix? Michele Linux - Newbie 5 06-18-2004 12:01 AM


All times are GMT -5. The time now is 11:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration