iptables with logging vs denyhosts
sberg at mississippi.com
sberg at mississippi.com
Tue Jul 7 10:07:11 UTC 2015
Have you looked at fail2ban? It watches /var/log/secure for break in attempts/failed logins and dynamically adds iptables rules to block the bad guys. It will do (automatically) pretty much what you're doing manually.
----- Original Message -----
From: dwoody5654 [mailto:dwoody5654 at gmail.com]
To: users at lists.fedoraproject.org
Sent: Mon, 06 Jul 2015 22:35:51 -0500
Subject: iptables with logging vs denyhosts
I have been using denyhosts for almost a year. To date I have only
prevented one person logging in and that is ME ( I used the wrong login
name).
Also, I know of no successful break-ins.
My iptables is as follows:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N block
-A INPUT -j block
-A FORWARD -j block
-A block -i wifi_card -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_external -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_enternal -j ACCEPT
-A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A block -i lo -m conntrack --ctstate NEW -j ACCEPT
-A block -j DROP
First, I think that the above will keep the bad guys out, Is that a true
statement?
Sencondly, I have added a LOG rule just above the DROP rule and I have
been monitoring it for about 1 1/2 weeks. As each entry is logged I have
been adding it to /etc/hosts.deny. Currently there are 4318 ip adresses
in the file and the number of packets that have been logged is 51592.
Denyhosts is for stopping ssh attempts and nothing else as I understand it.
Having over 4300 lines in /etc/hosts.deny causes almost no delay in
logging in remotely.
Am I being to paranoid about keeping the bad guys out or is the iptable
above completely adequate?
I would very much like to here your opinion on this,
David
--
users mailing list
users at lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
More information about the users
mailing list