LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-19-2005, 08:01 PM   #1
blkcamarozr28
Member
 
Registered: Oct 2005
Location: Honolulu, Hawaii
Distribution: Fedora Core 1-7, CentOS 4/5, Ubuntu/Xubuntu
Posts: 63

Rep: Reputation: 15
Question Cant get blacklisting script (sshblack) working


blacklisting script: http://www.pettingers.org/code/SSHBlack.html

Im running FC3 with IPTABLES.

Here is my iptables config [/etc/sysconfig/iptables]
Code:
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BLACKLIST - [0:0] 		<---------Add BLACKLIST CHAIN
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST  <------Add Checking of SSH via BLACKLIST
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --source 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --source 192.168.0.0/255.255.255.0 --dport 137:139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 465 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 995 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
and im running the default for /usr/src/sshblack/sshblack.pl

Does everything above look okay? I tried getting it to lock me out but it wont.
Is it because i have this in there?

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


However, if I take that line out you cant connect via SSH.
 
Old 10-19-2005, 11:44 PM   #2
blkcamarozr28
Member
 
Registered: Oct 2005
Location: Honolulu, Hawaii
Distribution: Fedora Core 1-7, CentOS 4/5, Ubuntu/Xubuntu
Posts: 63

Original Poster
Rep: Reputation: 15
Lightbulb

I figured it out!


-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST <------Add Checking of SSH via BLACKLIST

Should of been this:
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -j BLACKLIST <------Add Checking of SSH via BLACKLIST
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Because the default Redhat firewall uses RH-Firewall-1 as the INPUT name. doh! Other then that you need to make sure the -j BLACKLIST is before the regular SSH ACL.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPcop and IP blacklisting English_Man Linux - Security 1 07-01-2005 06:20 PM
amavisd-new blacklisting TLDs packetz Linux - Software 0 04-11-2005 01:07 PM
SH Script not working PEACEYALL Linux - General 3 03-21-2005 08:58 AM
Blacklisting hardware?? Jeebizz Slackware 11 01-20-2005 12:59 AM
Help get this script working please rickenbacherus Linux - General 2 03-24-2004 06:25 PM


All times are GMT -5. The time now is 10:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration