LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   how to make iptables blacklist a user if they connect to a certain port (https://www.linuxquestions.org/questions/linux-networking-3/how-to-make-iptables-blacklist-a-user-if-they-connect-to-a-certain-port-544152/)

GeorgeMoney 04-07-2007 07:15 PM
how to make iptables blacklist a user if they connect to a certain port
 
What is the command, if any, to make iptables auto-blacklist an ip if they connect to a certain port?

For example, lets say that I want to auto-blacklist any script kiddie who connects to port 22 and tries to do a brute force. Because I have sshd on an alternate port, I want to have 22 as a trap.

So then, if they try 22 and find nothing, they might try a portscanner and find the real port sshd is on. But if it auto-blacklists connections to 22, then when their portscanner passes 22, it is unlikely they will find my real port because any connection with them will be refused.

osor 04-07-2007 07:52 PM
I would suggest using the recent module. If you need help with the implementation, just ask.

fur 04-07-2007 11:56 PM
For the reason you listed I would not even worry about it. Most of the scans that will ever hit your computer/server are automated, and looking to exploit a specific vulnerability. With ssh its usually brute force.

Also it may be prone to DoS. What happens if I send spoofed syn packets to tcp 22 on your computer with the src address as google's IPs?

You firewall could very well block those IPs, and in turn deny access to google. Granted the chance of this is slim, but its still a possibility. Take a look at nmaps -D option as it does exactly this. You need to be very careful when using firewall rules that are created based on certain "matches". The same goes for using things like Snort inline where it blocks traffic when certain rules are matched.


I would instead secure sshd by only allowing connections from specified IPs, and use ssh keys rather than passwords. Having it running on some random port only fools automated tools.

All anyone has to do is telnet to that port you changed sshd to listen on, and the person will automatically know you are running ssh, and what version. Now if you have iptables setup to deny all first unless specified to allow they will be hitting a brick wall.

Micro420 04-08-2007 12:26 AM
I know it is specifically not iptables, but DenyHosts works great for SSH and writes to your /etc/hosts.deny automatically.

http://denyhosts.sourceforge.net/

short101 04-08-2007 02:41 AM
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

works nicely for me, gives them 4 attempts, then they are blocked.

GeorgeMoney 04-08-2007 05:06 AM
Hello, thanks for all the replies!

re: restricting source ip:
the thing is, I connect from lots of places so restricting a source ip would be very inconvenient.

re: denyhosts
Since I didn't know denyhosts existed, I wrote a script that does exactly what it does... guess I could have saved some time if i just googled it. Just, it is only using tcpwrappers, I wanted something more .. systemwide - what iptables does.

re: iptables
Ok, I'll put in those commands, and wait till the next script kiddie finds my ip :)


All times are GMT -5. The time now is 08:21 AM.