|
Iptable config files?
Hi everyone,
I wanted to know where the configuration files needed by iptables are located. And also I wanted to know how I can dynamically add and remove ipaddresses in the drop tables. Currently I am doing it mannually after searching for malicious ip addr in logs through a simple script For more control I needed to know about config files. Thanks in advance.. |
#!/bin/bash
clear echo echo Frequency IP #/var/log/messages for Red Hat Enterprise Linux ES release 3 (Taroon Update 7) # others /var/log/secure or may vary grep "Failed password for root" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $6}' | sort | uniq -c echo Proceed To random username log... read FromUser grep "Failed password for illegal" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $8}' | sort | uniq -c echo Proceed To SSH scan log ... read FromUser grep "Did not receive identification string from" /var/log/messages | gawk '{print $12}' | sort | uniq -c ########### This is how I find ssh threats and then I add and remove the ip addresses as follows:- iptables -A INPUT -s XX.xx.XX.Xx -j DROP and after some time or days:- iptables -D INPUT -s XX.xx.XX.Xx -j DROP Is this correct? I wanted to make this finer and better. Any suggestions? Ideas? Brainstorming? Thanks in advance |
You might want to take a look at the thread titles "Failed SSH Login Attempts" near the top of the forum. There are a number of tools listed for blacklisting on hosts.
WRT your ipatbles rules, it will depend on what your current iptables rules look like. If you are using a default Redhat/Fedora script, your rules may not work. |
Thanks captain,
But I have looked at it and I already use denyhosts on some servers. But I want to have a shot with my own script and trying to figure it out how would I do it. Anyway , thank you very much (Hey I am going to reinvent the wheel :-O ) |
That's cool, should be a good learning exercise then.
To expand on my iptables comment so more: with the default RH/FC firewall, incoming packets are dumped into a user defined chain (RH-Firewall-1-INPUT) where there is usually rules allowing traffic on each of the required ports that's setup during the config. If a packet matches any of these then it will not be processed by any more rules. At the end of the user-defined chain is a generic rule that rejects anything that isn't matched by any of the other rules. No traffic should ever make it past this point (although technically it *would* flow back into the INPUT chain if it wasn't all being dropped). So if you add a rule to the end of the INPUT chain (-A) to drop evil IP addresses, they'll never block anything. You'll need to put those drop rules before they reach the "ACCEPT port 22" rules in RH-Firewall-1-INPUT chain otherwise they will be accepted. One way to do this would be to use the -I option instead of -A. The will insert your rule at the very beginning of the firewall instead of appending (-A) it to the very bottom. Hope that helps (and wasn't too basic). |
Hi Captain,
Thanks, I was wondering how can I check those rules that I append or insert? I tried:- iptables -L Which showed me the chain rules and tables but not the rule that I added. Also I observed that I had to remove the rules for that I added it twice (Just as an experiment). So, For now I wanted to list all those rules that are currently in effect; how can I? Thanks Captain, PS:- Is there any such way that I can add black listed ip addresses in a certain file and also remove them? Also I have started to read tutorials on iptables and ref. material on it. Still I would ask you some quick(may be silly ) questions. |
I was wondering how can I check those rules that I append or insert?
Are asking how to view the rules or how to check them (validate they are correct) So, For now I wanted to list all those rules that are currently in effect; how can I? To list all the rules in a table use: iptables -vnL for that command, the default table (filter) will be displayed. If you want to see the nat or mangle tables you need to specify them like: iptables -t nat -vnL Is there any such way that I can add black listed ip addresses in a certain file and also remove them? You could create a text file and store the blacklisted IPs in it with some type of timestamp entry if you wanted the blacklisting to expire. Then just pull the IPs from the text file. You could have the script regularly run by cron and have some function to check the file and remove any expired IPs before it loads the new iptables rules. |
Hello Captain,
You are going to collect a lot of "thanks" in this thread. As you suggested It will be better to have text file with time stamps and then extract black listed ips. This was the thing I wanted to do. Hey, Please keep email subscription to this thread open as I am surely going to ask you some more things. (Whenever needed) I don't know what to say but I think I am taking a lot of time of yours. Thanks |
Ask questions as necessary. That's what this site is for...
If you start getting into more programming oriented questions, you may want to start a new thread in the Programming forum in order to get exposure to people with more experience in that area (though many in this forum are exceptionally capable as well). |
| All times are GMT -5. The time now is 08:25 AM. |