Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-16-2011, 03:06 PM
|
#1
|
Member
Registered: Mar 2009
Location: Belgium
Distribution: Ubuntu server 12.04 LTS / Raspbian Wheezy
Posts: 64
Rep:
|
Using some application to block IP addresses
OK, now I have managed my rsyslogd to log the firewall into a separate file I would like to use a script which looks into this file for intruders which for example try to ping, telnet, ssh, rdp etc into my dsl connection.
And then use a kind of app or firewall on my ubuntu server to block them.
Yes my firewall logs them but does not block them if the policy is enabled, so they have access on through the firewall and the connect to my server but I only want some known IP addresses have access through it and this I cannot program in the firewall so I have to use some extras.
Or am I thinking way to far and is there a better solution with IPtables or app?
Is it possible to watch tcp connections between the firewall from outside IP addresses and the ubuntu server?
Last edited by rytec; 02-16-2011 at 03:46 PM.
|
|
|
02-16-2011, 04:23 PM
|
#2
|
Member
Registered: Aug 2009
Location: Chicago
Distribution: CentOS
Posts: 114
Rep:
|
CSF (config-server firewall) is an excellent front-end for IPtables. You can configure it to block, say, anyone who has failed to log in via SSH 5 times within a short time span.
http://www.configserver.com/cp/csf.html
|
|
|
02-16-2011, 04:31 PM
|
#3
|
Member
Registered: Mar 2008
Posts: 155
Rep:
|
iptables has a limit test that will match so many packets per sec/min/hour/day that match the rule. I've also used this script in a cronjob that scans the syslog for ssh "Invalid user" or "not allowed" messages and drops the offending source IP address in hosts.deny:
Code:
#!/bin/bash
LAST_IP=0.0.0.0
COUNT=1
# Set MAXCOUNT to the maximum failures allowed before blacklisting
MAXCOUNT=5
#
# The three lines below put the leading lines in /etc/hosts.deny
# Note: This script overwrites the entire /etc/hosts.deny file.
#
echo '
# file created by /root/blackhole.sh
# insert any entries to hosts.deny here
# ALL EXCEPT sshd: ALL ' > /etc/hosts.deny
#
# Scan the /var/log/messages file for failed login attempts via ssh.
# Parse out the IP address, and count the failure occurrences from that IP
# If the IP fails more than 5 times - deny further access
#
for IP in `/bin/grep sshd /var/log/messages|/bin/grep "Invalid\ user\|not\ allowed" |/bin/sed 's/^.*from //' | /bin/sed 's/not allowed.*//'| /bin/sort` 0.0.0.0; do
if [ ${LAST_IP} == ${IP} ]; then
let COUNT=${COUNT}+1
else
if [ ${COUNT} -ge ${MAXCOUNT} ]; then
echo "ALL: ${LAST_IP}" >> /etc/hosts.deny
fi
LAST_IP=${IP}
COUNT=1
fi
done
echo "# end of hosts.deny" >> /etc/hosts.deny
|
|
|
02-17-2011, 03:21 PM
|
#4
|
Member
Registered: Mar 2009
Location: Belgium
Distribution: Ubuntu server 12.04 LTS / Raspbian Wheezy
Posts: 64
Original Poster
Rep:
|
Is it better to use UFW instead of IPtables in commandline mode ? And what happens with the IPtables rules if you use UFW rules too?
|
|
|
02-17-2011, 04:26 PM
|
#5
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
Quote:
Originally Posted by rytec
Is it better to use UFW instead of IPtables in commandline mode ? And what happens with the IPtables rules if you use UFW rules too?
|
Not really; all of these tools under Linux (and I could probably find a dozen or two) are designed as easy ways to generate iptables rules. So, in theory, you could mix and match rules, but in practice, if one approach sets up a chain that the other tool doesn't know anything about, it is probably a recipe for problems. With something like UFW, they might have a little 'special sauce' (expert knowledge, rather than any proprietary technology) to make, eg, DoS attacks less likely to succeed. But, you can always inspect the rukleset a tool generates and see whther you understand all of it...
Logically, of course, a set of rules is a set of rules. So, if you write exactly the same set of rules by hand, or it comes out of a generator script, it is still the same set of rules and still does exactly the same thing. (something like UFW is likely to do stuff in addition to setting up firewall rules, though; but you could copy those things too.)
Quote:
And then use a kind of app or firewall on my ubuntu server to block them. Yes my firewall logs them but does not block them
|
Again, there are probably about a dozen slightly different ways of skinning this particular cat, all slightly different, all doing vaguely the same sort of thing all having slightly different advantages and disadvantages.
From where you are (ie, with a log file containing a list of 'bad' ips), you could consider running a simple filter that strips those IPs out and uses that list as a blacklist. I'm not sure that I'd advise that for a couple of reasons - unless you do something else, as well, that blacklist could grow very large and if you do a very latge number of compares, you could slow things
down to an extent that makes a doS more likley to succeed (and I hate that idea)
- and there is miscellaneous scripting -re-inventing the wheel- that you could get wrong (and I hate that idea too)
look at denyhosts, blockhosts and fail2ban, and t his for example
Another approach is here. (simply looking at open connections from standard linux commands and using that for the block list)
At this point, you could reasonably suggest that I have given you too many choices (and the one suggested by tsg is valid, too); If you can define exactly what you are defending against, you can quite simply get to a point at which you can tell whether any particular approach does the business; the problem is that if you define the problem incorrectly, you'll have to be lucky for the solution to work.
Quote:
ping, telnet, ssh, rdp etc
|
telnet??? telnet is insecure as a very insecure thing and you shouldn't be running it. ping is perhaps something that you might not desire in a security-paranoid kind of context, but shouldn't be too damaging; can't you just drop packets from the outside world on the appropriate port?
ssh can be potentially quite problematic, are you going to ssh in from the outside world? if not, just block ssh from the outside world. If you are to ssh in from the outside, read this. rdp? again can you block from the outside world?
|
|
|
02-17-2011, 05:17 PM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by salasi
telnet??? telnet is insecure as a very insecure thing and you shouldn't be running it.
|
...which points bring us to the fact the OP might be doing the right things the wrong way as he says in his OP:
Quote:
Originally Posted by rytec
I only want some known IP addresses have access through it
|
so in essence he should 0) disable unnecessary (network-facing) services before doing anything else, 1) configure limits, password aging, force pubkey auth etc, etc on any user accounts that will log in from remote, restrict access to all other accounts and ensure proper auditing is in place, 2) configure and harden services that need to be available and only then 3) allow only those "known IP addresses" access to those services. In short: first harden the machine, then the network.
* tsg's iptables "-m limit" example is a good example of what Netfilter has to offer (it really has a lot more useful modules) and its fire-and-forget approach which contrasts with "deflate" which is a script (userland: slower), its dependencies (netstat, crond, mailx) and "seemingly notable features" like email (which users will either forget to read, forget to respond to or will simply ignore after 3000 emails anyway).
Quote:
Originally Posted by rytec
Is it possible to watch tcp connections between the firewall from outside IP addresses and the ubuntu server?
|
'watch -n 2 "iptables -n -t filter -L|grep ^[0-9].*tcp";', netstat, iftop, iptstate, ntop, you name it.
|
|
|
02-18-2011, 02:00 AM
|
#7
|
Member
Registered: Mar 2009
Location: Belgium
Distribution: Ubuntu server 12.04 LTS / Raspbian Wheezy
Posts: 64
Original Poster
Rep:
|
Thank you all for this wide bundel of information.
I have a hardware Watchguard Firebox III behind my dsl connection, so I already do a lot of blocking there. But some services I can't deny which go to my Ubuntu server but in the Firebox I cannot check on timeouts or wrong entered password for FTP for example so that's what I have to do in the server.
I will have to re-read your answers over and over to find out what is best for me.
And in the other way I don't like to use those webmin features because I'm very curious to learn and understand the commandline rules.
I think I will tryout the script from tsg and use it also for FTP connections, what would be a good value for the time it should run? every 10 minutes?
And do I have to change anything in rsyslog so the failures for FTP or SSH logins will be stored in the messages logfile?
Last edited by rytec; 02-18-2011 at 02:07 AM.
|
|
|
02-18-2011, 02:19 AM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
Quote:
Originally Posted by rytec
I think I will tryout the script from tsg and use it also for FTP connections, what would be a good value for the time it should run? every 10 minutes?
|
I retract my previous statement about tsg's work as I mistook it for an iptables script: his is as unnecessary as "deflate": best use fail2ban as suggested by salasi because tcp wrappers do not block things at the network level, which you should prefer over service level blocking, see this.
Quote:
Originally Posted by rytec
I will have to re-read your answers over and over to find out what is best for me.
|
If you're new to Linux then your definition of "best", with all due respect, may be based on what little you know. If my reply of "harden first..." doesn't sound like the single best approach then I strongly suggest you read up on system hardening or ask additional specific questions.
|
|
|
All times are GMT -5. The time now is 04:34 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|