IP Address blocking

Thu Jan 6 04:08:42 UTC 2005

On Wed, 2005-01-05 at 21:53, Chris Ruprecht wrote:
> Hello all,
> 
> I have looked through the list archives and read the replies other have
> made about the issue - but nothing seems to fix the problem.
> 
> Every other morning, I read the system logs from the day before and
> there are a number of break in attempts (usually 59) to root and a few
> to a slew to other accounts.
> I would like to know if there is any program in existence that detects
> these attempts and blocks the IP address from sending anything my way
> ever again.

Snort or portsentry is probably what you are looking for.

> I currently have 'minimum' security. I have a router set up with NAT
> translation of a few ports pointing to the server box (FC2). Most of the
> usual suspects (telnet, ftpP are pointing to non-existing machines.

If you are not using the service just block it at the firewall and don't
forward them anywhere.  As is I think port scans will show them
indicating there is are real system somewhere at that address.

> On the server, I have the firewall switched of as I do not have a clear
> understanding how to configure it properly and I just hate to find
> myself in a situation where I'm not at home and can't log in ;-).
> 

At least you have a NAT router/firewall in front of it, but it would be
better to have the firewall on the server setup correctly as a second
line of defense.  

Simple suggestion is to configure ssh on your server to run on a
non-standard port, move it from port 22 to some higher port like 3030 or
something that is not used.  This alone should eliminate the script
kiddie scans you are seeing in the log files.  Just forward that port
3030 or whatever you select to your server from your firewall.

Understand though this is security by obscurity and will not prevent
someone that is motivated.  But it will hide your system from the vast
majority of script kiddies and automated tools that rattle the locks on
all systems with port 22 exposed.

Don't use telnet either, ssh version 2 is much more secure.

Limit ssh to a specific user account, and block root from logging in. 
This is done in the /etc/ssh/sshd_config file.

Don't forward anything but the port you use for ssh.  You can confirm
that is working as expected by using the port scan function Shieldsup at
http://www.grc.com.  

> If somebody could point me to some documents that describe in simple
> terms, how to configure the firewall properly, I'd appreciate it.
> 

Take look at the man pages and use the /etc/sysconfig/iptables file as
an example.  It is fairly easy to put new rules in that file manually.

> I have looked at firestarter and yes, it works - it either blocks
> traffic or it lets traffic in - but it looks a little too primitive for
> a production server. 

-- 
Scot L. Harris
webid at cfl.rr.com

You will be held hostage by a radical group. 