Re: iptables & tcp wrappers

From: Matthew Baker (m_at_netgates.co.uk)
Date: 10/05/04

  • Next message: Thomas Chiverton: "Re: iptables & tcp wrappers"
    Date: Tue, 05 Oct 2004 18:26:55 +0100
    To: focus-linux@securityfocus.com
    
    

    Luis M wrote:

    >I know this has been answered in many ways already, but this is yet
    >another approach.
    >
    and another.....

    I have rewritten a perl module into a script which is actually used on
    our mail server (MailScanner www.mailscanner.info) credit to Julian
    Field for that. What it does is monitor the output from auth logs (using
    swatch) and takes the IP addresses of failed/invalid attempts and
    records the number of attempts made from that IP in a database file.
    Then when the counter goes above a configured threshold (which can be
    different for a single host or CIDR network) the IP is inserted as a
    DROP rule into custom chain using IPtables.
    No need for reloading all the chains. The script is only called when the
    fail pattern is matched in swatch and the IPtables insert is only done
    once when the threshold is reached.
    I have documented it more on a little web page here:
    http://www.gwork.org/authwatch

    Although I still get failed logins I will only get a max of 6 attempts
    as opposed to 1000's. The script can also be taylored to work with other
    log output combining failures from ftp, smtp auth, etc...

    I've not released any of my scripts before so any feedback would be welcome,

    Hope it helps.

    Matt


  • Next message: Thomas Chiverton: "Re: iptables & tcp wrappers"

    Relevant Pages

    • Re: Help with Iptables on with RH linux
      ... iptables -P OUTPUT DROP ... INPUT only when packets have a destination IP of your firewall. ... the FORWARD chain contains rules that affect packets passing through ... Yes I flushed the rules before calling the script... ...
      (RedHat)
    • Re: some reality about iptables, please
      ... >>the script which can only be run by a root user. ... but it could re-inforce the fact that maybe running your iptables ... "I'm a packet filtering interface not a firewall tool." ... Generally Debian systems run at init runlevel 3 (this is a change if ...
      (Debian-User)
    • Re: IPTABLES Beginner Example Needed!
      ... after i runned this script nothing works on my computer. ... > I think i just need the translation to iptables. ... $MODPROBE ip_conntrack ... # FORWARD chain rules ...
      (linux.redhat)
    • Re: Setting Up NTP for Time Sync
      ... > I've made no changes to the script file that I know of. ... called iptables after the command "iptables" that manipulates the ... The /etc/init.d/ntpd script is the one run when ntpd is started. ... [enter root password] ...
      (comp.os.linux.networking)
    • Re: IPTABLES: I will show you mine, now show me yours
      ... First here's a shorter Version of your script. ... # Reload kernelmodules, unless you have a non modularised kernel ... modprobe ip_conntrack ... $IPTABLES -F INPUT ...
      (comp.os.linux.security)