Re: iptables question

Thu, 01 Jan 2009 07:53:19 -0800 


On Thu, 1 Jan 2009, Napoleon wrote:


I'll admit I'm still pretty green at a lot of this (lots of experience in 
computers, little in Linux) and don't understand everything.  But I'm trying 
to learn, so please go easy on me :-)



I've been having a problem with dictionary hacker attempts on my system 
(hundreds or even thousands a day), so I implemented the following rules:


# Kill ssh hackers - watch for more than 3 connection attempts in under
# 15 minutes seconds and reject for 24 hours
iptables -N SSH-EVIL

iptables -A SSH-EVIL -m recent --name badSSH --set -j LOG --log-level DEBUG 
--log-prefix "evil SSH user: "

iptables -A SSH-EVIL -j REJECT

iptables -N SSH
iptables -A SSH -p tcp ! --syn -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A SSH -p tcp --syn -m recent --name badSSH --rcheck --seconds 86400 
-j REJECT
iptables -A SSH -p tcp --syn -m recent --name sshconn --rcheck --seconds 900 
--hitcount 3 -j SSH-EVIL

iptables -A SSH -p tcp --syn -m recent --name sshconn --set
iptables -A SSH -p tcp --syn -j ACCEPT


And something similar for ftp.  These work well.  But I'm also getting people 
trying to break in via the POP interface (I'm using qpopper).  So I tried the 
following, which does not work:


iptables -N POP-EVIL

iptables -A POP-EVIL -m recent --name badPOP --set -j LOG --log-level DEBUG 
--log-prefix "evil POP user: "

iptables -A POP-EVIL -j REJECT

iptables -N POP

iptables -A POP -p tcp -i eth0 --dport 110 ! --syn -m state --state 
ESTABLISHED,RELATED -j ACCEPT
iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name badPOP --rcheck 
--seconds 86400 -j REJECT
iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --rcheck 
--seconds 900 --hitcount 5 -j POP-EVIL

iptables -A POP -p tcp -i eth0 --dport 110 -m recent --name popconn --set
iptables -A FTP -p tcp --syn -j ACCEPT


So my question is - what am I doing wrong in the POP interface, and how can I 
stop it here, also.



--

To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject 
of "unsubscribe". Trouble? Contact listmas...@lists.debian.org





Solution: apt-get install fail2ban (read up on the docs, it can drop IPs 
based on attempts etc)


Justin.


--

To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
























					Reply via email to