Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The --log-prefix applies to the log message not the log file name. So look in the file /var/log/syslog for lines with "portscan:" in the 9th or so column.
The --remove option corresponds to --rcheck and can remove an address from your block list. See man iptables-extensions for that.
Edit: you might consider --update instead of --rcheck, depending on your uses.
Last edited by Turbocapitalist; 12-04-2016 at 08:14 AM.
The --log-prefix applies to the log message not the log file name. So look in the file /var/log/syslog for lines with "portscan:" in the 9th or so column.
The --remove option corresponds to --rcheck and can remove an address from your block list. See man iptables-extensions for that.
Edit: you might consider --update instead of --rcheck, depending on your uses.
Using -L shows which rules are in effect. Only if there are rules that explicitly apply to particular IP addresses or netblocks will -D help. You indicate that you are using -m recent to dynamically create a list of addresses. Those addresses won't be listed by -L, but they can be found in /proc/net/xt_recent/ in a file named after your list, which you show as "portscan". If you look inside that file, you'll see your addresses. However, I don't know the right way to access that list or modify it. The documentation for "iptables" beyond the manual pages is a bit awkward and the manual pages are in need of polishing.
Edit: while looking for something else, I stumbled across this in the manual page for iptables-extensions
Code:
Each file in /proc/net/xt_recent/ can be read from to see the current list or written two using the following commands to
modify the list:
echo +addr >/proc/net/xt_recent/DEFAULT
to add addr to the DEFAULT list
echo -addr >/proc/net/xt_recent/DEFAULT
to remove addr from the DEFAULT list
echo / >/proc/net/xt_recent/DEFAULT
to flush the DEFAULT list (remove all entries).
Substitute the name of your list for "DEFAULT" there and you're set.
Last edited by Turbocapitalist; 12-05-2016 at 08:33 AM.
Using -L shows which rules are in effect. Only if there are rules that explicitly apply to particular IP addresses or netblocks will -D help. You indicate that you are using -m recent to dynamically create a list of addresses. Those addresses won't be listed by -L, but they can be found in /proc/net/xt_recent/ in a file named after your list, which you show as "portscan". If you look inside that file, you'll see your addresses. However, I don't know the right way to access that list or modify it. The documentation for "iptables" beyond the manual pages is a bit awkward and the manual pages are in need of polishing.
Edit: while looking for something else, I stumbled across this in the manual page for iptables-extensions
Code:
Each file in /proc/net/xt_recent/ can be read from to see the current list or written two using the following commands to
modify the list:
echo +addr >/proc/net/xt_recent/DEFAULT
to add addr to the DEFAULT list
echo -addr >/proc/net/xt_recent/DEFAULT
to remove addr from the DEFAULT list
echo / >/proc/net/xt_recent/DEFAULT
to flush the DEFAULT list (remove all entries).
Substitute the name of your list for "DEFAULT" there and you're set.
Yes. And you can add to, remove from, or clear the list "portscan" using "echo" as shown in the manual page. Though your iptables rules will do much of that automatically for you, if they are set up right.
Yes. And you can add to, remove from, or clear the list "portscan" using "echo" as shown in the manual page. Though your iptables rules will do much of that automatically for you, if they are set up right.
If I want do it manually via iptables then? Can I use :iptables -D INPUT IP" ?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.