Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 04-07-2007, 07:15 PM   #1
LQ Newbie
Registered: Mar 2007
Distribution: Kubuntu edgy-eft
Posts: 3

Rep: Reputation: 0
how to make iptables blacklist a user if they connect to a certain port

What is the command, if any, to make iptables auto-blacklist an ip if they connect to a certain port?

For example, lets say that I want to auto-blacklist any script kiddie who connects to port 22 and tries to do a brute force. Because I have sshd on an alternate port, I want to have 22 as a trap.

So then, if they try 22 and find nothing, they might try a portscanner and find the real port sshd is on. But if it auto-blacklists connections to 22, then when their portscanner passes 22, it is unlikely they will find my real port because any connection with them will be refused.
Old 04-07-2007, 07:52 PM   #2
HCL Maintainer
Registered: Jan 2006
Distribution: (H)LFS, Gentoo
Posts: 2,450

Rep: Reputation: 76
I would suggest using the recent module. If you need help with the implementation, just ask.
Old 04-07-2007, 11:56 PM   #3
Registered: Dec 2003
Distribution: Debian, FreeBSD
Posts: 310

Rep: Reputation: 35
For the reason you listed I would not even worry about it. Most of the scans that will ever hit your computer/server are automated, and looking to exploit a specific vulnerability. With ssh its usually brute force.

Also it may be prone to DoS. What happens if I send spoofed syn packets to tcp 22 on your computer with the src address as google's IPs?

You firewall could very well block those IPs, and in turn deny access to google. Granted the chance of this is slim, but its still a possibility. Take a look at nmaps -D option as it does exactly this. You need to be very careful when using firewall rules that are created based on certain "matches". The same goes for using things like Snort inline where it blocks traffic when certain rules are matched.

I would instead secure sshd by only allowing connections from specified IPs, and use ssh keys rather than passwords. Having it running on some random port only fools automated tools.

All anyone has to do is telnet to that port you changed sshd to listen on, and the person will automatically know you are running ssh, and what version. Now if you have iptables setup to deny all first unless specified to allow they will be hitting a brick wall.
Old 04-08-2007, 12:26 AM   #4
Senior Member
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
I know it is specifically not iptables, but DenyHosts works great for SSH and writes to your /etc/hosts.deny automatically.
Old 04-08-2007, 02:41 AM   #5
Registered: May 2004
Location: Aust.
Distribution: Debian
Posts: 424

Rep: Reputation: 30
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

works nicely for me, gives them 4 attempts, then they are blocked.
Old 04-08-2007, 05:06 AM   #6
LQ Newbie
Registered: Mar 2007
Distribution: Kubuntu edgy-eft
Posts: 3

Original Poster
Rep: Reputation: 0
Hello, thanks for all the replies!

re: restricting source ip:
the thing is, I connect from lots of places so restricting a source ip would be very inconvenient.

re: denyhosts
Since I didn't know denyhosts existed, I wrote a script that does exactly what it does... guess I could have saved some time if i just googled it. Just, it is only using tcpwrappers, I wanted something more .. systemwide - what iptables does.

re: iptables
Ok, I'll put in those commands, and wait till the next script kiddie finds my ip


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
need to get iptables to have a max count of attempts to connect to a port nass Linux - Networking 2 11-09-2006 01:04 PM
?Odd bug. modprobe.blacklist~ behaves as modprobe.blacklist arubin Slackware 1 11-05-2006 07:08 PM
iptables help! DROP ssh port, but allow to connect to ssh if from 2222 port kandzha Linux - Networking 4 09-13-2006 09:10 AM
debian iptables squid - redirect port 80 to port 8080 on another machine nickleus Linux - Networking 1 08-17-2006 12:59 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:18 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration