Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-09-2006, 07:08 AM
|
#1
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
Iptable config files?
Hi everyone,
I wanted to know where the configuration files needed by iptables are located.
And also I wanted to know how I can dynamically add and remove ipaddresses in the drop tables.
Currently I am doing it mannually after searching for malicious ip addr in logs through a simple script
For more control I needed to know about config files.
Thanks in advance..
|
|
|
06-09-2006, 07:22 AM
|
#2
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Original Poster
Rep:
|
#!/bin/bash
clear
echo
echo Frequency IP
#/var/log/messages for Red Hat Enterprise Linux ES release 3 (Taroon Update 7)
# others /var/log/secure or may vary
grep "Failed password for root" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $6}' | sort | uniq -c
echo Proceed To random username log...
read FromUser
grep "Failed password for illegal" /var/log/messages | gawk -F: '{print $4}' | gawk -F" " '{print $8}' | sort | uniq -c
echo Proceed To SSH scan log ...
read FromUser
grep "Did not receive identification string from" /var/log/messages | gawk '{print $12}' | sort | uniq -c
###########
This is how I find ssh threats and then I add and remove the ip addresses as follows:-
iptables -A INPUT -s XX.xx.XX.Xx -j DROP
and after some time or days:-
iptables -D INPUT -s XX.xx.XX.Xx -j DROP
Is this correct?
I wanted to make this finer and better. Any suggestions?
Ideas? Brainstorming?
Thanks in advance
|
|
|
06-09-2006, 07:48 AM
|
#3
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
You might want to take a look at the thread titles "Failed SSH Login Attempts" near the top of the forum. There are a number of tools listed for blacklisting on hosts.
WRT your ipatbles rules, it will depend on what your current iptables rules look like. If you are using a default Redhat/Fedora script, your rules may not work.
|
|
|
06-09-2006, 08:11 AM
|
#4
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Original Poster
Rep:
|
Thanks captain,
But I have looked at it and I already use denyhosts on some servers. But I want to have a shot with my own script and trying to figure it out how would I do it.
Anyway , thank you very much
(Hey I am going to reinvent the wheel :-O )
|
|
|
06-09-2006, 08:35 PM
|
#5
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
That's cool, should be a good learning exercise then.
To expand on my iptables comment so more: with the default RH/FC firewall, incoming packets are dumped into a user defined chain (RH-Firewall-1-INPUT) where there is usually rules allowing traffic on each of the required ports that's setup during the config. If a packet matches any of these then it will not be processed by any more rules. At the end of the user-defined chain is a generic rule that rejects anything that isn't matched by any of the other rules. No traffic should ever make it past this point (although technically it *would* flow back into the INPUT chain if it wasn't all being dropped). So if you add a rule to the end of the INPUT chain (-A) to drop evil IP addresses, they'll never block anything. You'll need to put those drop rules before they reach the "ACCEPT port 22" rules in RH-Firewall-1-INPUT chain otherwise they will be accepted. One way to do this would be to use the -I option instead of -A. The will insert your rule at the very beginning of the firewall instead of appending (-A) it to the very bottom. Hope that helps (and wasn't too basic).
|
|
|
06-10-2006, 12:02 AM
|
#6
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Original Poster
Rep:
|
Hi Captain,
Thanks,
I was wondering how can I check those rules that I append or insert?
I tried:-
iptables -L
Which showed me the chain rules and tables but not the rule that I added.
Also I observed that I had to remove the rules for that I added it twice (Just as an experiment).
So, For now I wanted to list all those rules that are currently in effect; how can I?
Thanks Captain,
PS:- Is there any such way that I can add black listed ip addresses in a certain file and also remove them?
Also I have started to read tutorials on iptables and ref. material on it. Still I would ask you some quick(may be silly ) questions.
Last edited by imagineers7; 06-10-2006 at 12:04 AM.
|
|
|
06-11-2006, 11:49 AM
|
#7
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
I was wondering how can I check those rules that I append or insert?
Are asking how to view the rules or how to check them (validate they are correct)
So, For now I wanted to list all those rules that are currently in effect; how can I?
To list all the rules in a table use:
iptables -vnL
for that command, the default table (filter) will be displayed. If you want to see the nat or mangle tables you need to specify them like:
iptables -t nat -vnL
Is there any such way that I can add black listed ip addresses in a certain file and also remove them?
You could create a text file and store the blacklisted IPs in it with some type of timestamp entry if you wanted the blacklisting to expire. Then just pull the IPs from the text file. You could have the script regularly run by cron and have some function to check the file and remove any expired IPs before it loads the new iptables rules.
|
|
|
06-11-2006, 11:18 PM
|
#8
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Original Poster
Rep:
|
Hello Captain,
You are going to collect a lot of "thanks" in this thread.
As you suggested It will be better to have text file with time stamps and then extract black listed ips. This was the thing I wanted to do.
Hey, Please keep email subscription to this thread open as I am surely going to ask you some more things. (Whenever needed) I don't know what to say but I think I am taking a lot of time of yours.
Thanks
|
|
|
06-12-2006, 06:23 PM
|
#9
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Ask questions as necessary. That's what this site is for...
If you start getting into more programming oriented questions, you may want to start a new thread in the Programming forum in order to get exposure to people with more experience in that area (though many in this forum are exceptionally capable as well).
|
|
|
All times are GMT -5. The time now is 10:02 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|