LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-04-2007, 04:19 PM   #1
dellthinker
Member
 
Registered: Jan 2007
Distribution: Debian
Posts: 223

Rep: Reputation: 30
Blocking IP


Code:
Apr  4 05:00:40 computer pure-ftpd: (?@219.136.254.102) [WARNING] Authentication failed for user [Administrator]
How would i use hosts.deny to block this IP from trying to access my machine anymore? And can someone give me a site where i can read about some software that detects failed logins and bans them? Thanx in advance!
 
Old 04-04-2007, 04:28 PM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
You could use hosts.deny, but most people at this point would rather it be handled by an adaptive firewall. Ideally you would only want to block an IP for a set amount of time (rather than permanently) as you can block IPs that might otherwise have had legitimate users. For example, if somebody at a college port scanned your server and you blocked the IPs for that school, other people at that school would not be able to legitimately access you server forever.

If you only block IPs as soon as the attack starts and then unblock them in a day or so, by the time the IP has been unblocked the attacker will likely be using a new IP (or more likely just moved on to the next target).

At any rate, that is what you want to be looking into to automatically block IPs based on failed authorization attempts, adaptive firewalls. It is a rather large subject though, so be prepared to do a bit of research before you find one that suits your needs.
 
Old 04-04-2007, 05:07 PM   #3
dellthinker
Member
 
Registered: Jan 2007
Distribution: Debian
Posts: 223

Original Poster
Rep: Reputation: 30
The firewall i use blocks the use of my ftpd. Im going to be looking into failed auth logins later on. But for now i'd just like to know how to block the IP. If anyone could just tell me how to do it with hosts.deny i'd appreciate it. Thanx in advance.
 
Old 04-05-2007, 12:13 PM   #4
mintojoseph
LQ Newbie
 
Registered: Nov 2006
Location: Kerala
Distribution: Fedora, Debian, RHEL
Posts: 29
Blog Entries: 1

Rep: Reputation: 15
Add following to hosts.deny

ALL:219.136.254.102
---------------------------------
OR


You can type following in command line for blocking via iptables..

iptables -I INPUT -s 219.136.254.102 -j DROP
---------------------------------------------------------------------------

You can use apf with bfd for doing it simply..

BFD will find Brute Force attempts and block them.

Using apf you can block an IP very simply by
#apf -d 219.136.254.102
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Blocking all ports ehab_8 Linux - Security 5 11-26-2006 04:30 PM
IP Blocking Help mortsahl Linux - Security 2 04-26-2004 08:29 AM
blocking ports rocketgo Linux - Software 3 11-11-2003 06:50 PM
Blocking porn shea1roh Linux - Software 0 08-14-2003 08:11 PM
IP blocking merlin371 Linux - Networking 2 08-04-2003 10:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:59 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration