LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-09-2006, 07:08 AM   #1
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Iptable config files?


Hi everyone,

I wanted to know where the configuration files needed by iptables are located.
And also I wanted to know how I can dynamically add and remove ipaddresses in the drop tables.
Currently I am doing it mannually after searching for malicious ip addr in logs through a simple script

For more control I needed to know about config files.


Thanks in advance..
 
Old 06-09-2006, 07:22 AM   #2
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Original Poster
Rep: Reputation: 30
#!/bin/bash
clear
echo
echo Frequency IP
#/var/log/messages for Red Hat Enterprise Linux ES release 3 (Taroon Update 7)
# others /var/log/secure or may vary

grep "Failed password for root" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $6}' | sort | uniq -c
echo Proceed To random username log...
read FromUser
grep "Failed password for illegal" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $8}' | sort | uniq -c
echo Proceed To SSH scan log ...
read FromUser
grep "Did not receive identification string from" /var/log/messages | gawk '{print $12}' | sort | uniq -c




###########

This is how I find ssh threats and then I add and remove the ip addresses as follows:-
iptables -A INPUT -s XX.xx.XX.Xx -j DROP

and after some time or days:-
iptables -D INPUT -s XX.xx.XX.Xx -j DROP

Is this correct?
I wanted to make this finer and better. Any suggestions?

Ideas? Brainstorming?

Thanks in advance
 
Old 06-09-2006, 07:48 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You might want to take a look at the thread titles "Failed SSH Login Attempts" near the top of the forum. There are a number of tools listed for blacklisting on hosts.

WRT your ipatbles rules, it will depend on what your current iptables rules look like. If you are using a default Redhat/Fedora script, your rules may not work.
 
Old 06-09-2006, 08:11 AM   #4
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Original Poster
Rep: Reputation: 30
Thanks captain,

But I have looked at it and I already use denyhosts on some servers. But I want to have a shot with my own script and trying to figure it out how would I do it.


Anyway , thank you very much

(Hey I am going to reinvent the wheel :-O )
 
Old 06-09-2006, 08:35 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
That's cool, should be a good learning exercise then.

To expand on my iptables comment so more: with the default RH/FC firewall, incoming packets are dumped into a user defined chain (RH-Firewall-1-INPUT) where there is usually rules allowing traffic on each of the required ports that's setup during the config. If a packet matches any of these then it will not be processed by any more rules. At the end of the user-defined chain is a generic rule that rejects anything that isn't matched by any of the other rules. No traffic should ever make it past this point (although technically it *would* flow back into the INPUT chain if it wasn't all being dropped). So if you add a rule to the end of the INPUT chain (-A) to drop evil IP addresses, they'll never block anything. You'll need to put those drop rules before they reach the "ACCEPT port 22" rules in RH-Firewall-1-INPUT chain otherwise they will be accepted. One way to do this would be to use the -I option instead of -A. The will insert your rule at the very beginning of the firewall instead of appending (-A) it to the very bottom. Hope that helps (and wasn't too basic).
 
Old 06-10-2006, 12:02 AM   #6
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Original Poster
Rep: Reputation: 30
Hi Captain,

Thanks,

I was wondering how can I check those rules that I append or insert?

I tried:-

iptables -L
Which showed me the chain rules and tables but not the rule that I added.

Also I observed that I had to remove the rules for that I added it twice (Just as an experiment).


So, For now I wanted to list all those rules that are currently in effect; how can I?


Thanks Captain,



PS:- Is there any such way that I can add black listed ip addresses in a certain file and also remove them?
Also I have started to read tutorials on iptables and ref. material on it. Still I would ask you some quick(may be silly ) questions.

Last edited by imagineers7; 06-10-2006 at 12:04 AM.
 
Old 06-11-2006, 11:49 AM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I was wondering how can I check those rules that I append or insert?
Are asking how to view the rules or how to check them (validate they are correct)

So, For now I wanted to list all those rules that are currently in effect; how can I?
To list all the rules in a table use:
iptables -vnL

for that command, the default table (filter) will be displayed. If you want to see the nat or mangle tables you need to specify them like:
iptables -t nat -vnL

Is there any such way that I can add black listed ip addresses in a certain file and also remove them?
You could create a text file and store the blacklisted IPs in it with some type of timestamp entry if you wanted the blacklisting to expire. Then just pull the IPs from the text file. You could have the script regularly run by cron and have some function to check the file and remove any expired IPs before it loads the new iptables rules.
 
Old 06-11-2006, 11:18 PM   #8
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Original Poster
Rep: Reputation: 30
Hello Captain,

You are going to collect a lot of "thanks" in this thread.

As you suggested It will be better to have text file with time stamps and then extract black listed ips. This was the thing I wanted to do.


Hey, Please keep email subscription to this thread open as I am surely going to ask you some more things. (Whenever needed) I don't know what to say but I think I am taking a lot of time of yours.


Thanks
 
Old 06-12-2006, 06:23 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Ask questions as necessary. That's what this site is for...

If you start getting into more programming oriented questions, you may want to start a new thread in the Programming forum in order to get exposure to people with more experience in that area (though many in this forum are exceptionally capable as well).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DB for config instead of config files twistedpair Linux - Software 1 11-28-2005 04:39 PM
Webmin cannot handle Samba config files that use the config or include directives allelopath Linux - Networking 3 01-18-2005 09:36 AM
question on config files vs build files working2hard Programming 2 07-29-2004 11:45 AM
where is the iptable config file? what is it's name? gonus Linux - Networking 2 07-12-2004 02:36 PM
iptable problem upon nic config dillinja Linux - Hardware 3 08-06-2003 08:38 AM


All times are GMT -5. The time now is 11:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration