iptables with logging vs denyhosts

dwoody5654 dwoody5654 at gmail.com
Tue Jul 7 16:09:17 UTC 2015 

On 07/07/2015 05:07 AM, sberg at mississippi.com wrote:
> Have you looked at fail2ban?  It watches /var/log/secure for break in attempts/failed logins and dynamically adds iptables rules to block the bad guys.  It will do (automatically) pretty much what you're doing manually.
Thanks for your quick response.
Looked at fail2ban per your recommendation. It does monitor more ports 
than denyhosts. So I looked at how many different ports have been 
attacked on my computer, a total of over 4200.

Are these additional ports of no consequence? Or is it still good to 
lock the requesting ip address out?

You did not say whether my ip table setup was adequate or not so I 
presume that it is.

Thanks,

David

>
> ----- Original Message -----
> From: dwoody5654 [mailto:dwoody5654 at gmail.com]
> To: users at lists.fedoraproject.org
> Sent: Mon, 06 Jul 2015 22:35:51 -0500
> Subject: iptables with logging vs denyhosts
>
> I have been using denyhosts for almost a year. To date I have only
> prevented one person logging in and that is ME ( I used the wrong login
> name).
> Also, I know of no successful break-ins.
>
> My iptables is as follows:
> -P INPUT DROP
> -P FORWARD DROP
> -P OUTPUT ACCEPT
> -N block
> -A INPUT -j block
> -A FORWARD -j block
> -A block -i wifi_card -p tcp -m tcp --dport 12123 -j ACCEPT
> -A block -i Nic_external -p tcp -m tcp --dport 12123 -j ACCEPT
> -A block -i Nic_enternal -j ACCEPT
> -A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A block -i lo -m conntrack --ctstate NEW -j ACCEPT
> -A block -j DROP
>
> First, I think that the above will keep the bad guys out, Is that a true
> statement?
>
> Sencondly, I have added a LOG rule just above the DROP rule and I have
> been monitoring it for about 1 1/2 weeks. As each entry is logged I have
> been adding it to /etc/hosts.deny. Currently there are 4318 ip adresses
> in the file and the number of packets that have been logged is 51592.
>
> Denyhosts is for stopping ssh attempts and nothing else as I understand it.
>
> Having over 4300 lines in /etc/hosts.deny causes almost no delay in
> logging in remotely.
>
> Am I being to paranoid about keeping the bad guys out or is the iptable
> above completely adequate?
>
> I would very much like to here your opinion on this,
>
> David
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20150707/b607da1f/attachment.html>

More information about the users mailing list