LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-24-2002, 06:42 PM   #1
rgedye
LQ Newbie
 
Registered: Apr 2002
Posts: 4

Rep: Reputation: 0
Question iptables & 2.4.8-26mdk Kernel


I've had a mandrake box up since about Jan. I run a small web server. I got tired of seeing all the scriptkiddies searching for windows CMD.EXE and ROOT.EXE etc., so I have been using iptables to DROP their IP into never-never land. I've also done the same for the scanb---tards that insist on filling my dmesg with nmap scan audit entries.

Problem is this, I've now got about 1800!! entries in iptables on the INPUT chain, and it appears that it is no longer dropping some of these IP's (Filling my logs again) It seems to be for the last few hosts I added.

Question is - Is there some parameter that I may have to change to allow for this many entries, and then re-compile? I'm assuming that I've 'filled' the space reserved for this in my kernel and it is ignoring some entries.

Maybe I should create some new chains (tables) and move my entries around, haven't tried that yet

I'm Stumped

Any Help?

UPDATE - Sure enough, If I put a rule at the end of the table it has no effect but near the top of the table it works fine...


Last edited by rgedye; 04-24-2002 at 07:39 PM.
 
Old 04-25-2002, 03:00 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,370
Blog Entries: 55

Rep: Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555Reputation: 3555
I'd say just drop the 1800 tags, if this is 4 months worth of scans its worthless anyway, since most skiddies will move on when a target ain't "interesting" anymore. Else may I suggest you try Snort IDS for intrusion detection like worms, scans exploits etc etc? Then you could use Guardian, which can drop IP's into ipchains/iptables but also incorporates some kind of timer, so after x minutes/hours the IP addy will be unblocked again and the rule deleted as not to accumulate too much useless crud.

The only stuff tweakable i read about isipconn_track. Somewhere under /proc theres a few ipconn_track entries, the limit is 2048 (cat /proc/*/ipconn_tracksomething-something | wc -l). It can be enhanced by catting a memory value into another ipconn_track entry. Bit vague but that's all I remember :-]
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Searching old rpm-4.0-26mdk package zigomatix Mandriva 4 11-21-2004 07:21 AM
Upgrade from working kernel-source-2.6.7-1 & -2 to kernel paniced -3 & -4 Outabux Debian 6 08-15-2004 01:36 PM
Samba & IPTABLES & Network Drives Oh My! logicdisaster Linux - Networking 3 06-03-2004 06:07 PM
MDK RPM update: risks upgrading kernel-source from 2.4.22-10mdk to 2.4.22-26mdk? Currux Mandriva 9 03-15-2004 07:45 AM
installing kernel-source-2.4.26mdk santasballz Linux - Newbie 8 02-15-2004 05:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration