RE: IPTABLES question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ipset can eliminate the performance penalty of long lists


<><Randall Grimshaw
Room 203 Machinery Hall
Syracuse University
Syracuse, NY   13244
315-443-5779
rgrimsha@xxxxxxx
>>> mikepb@xxxxxxxxxxx 07/28/06 7:08 PM >>>
HA!  I TOP-POSTED!!!!  So SHOOT ME!

>>>> I know that the preferred way of controlling access is to use 
>>>> whitelists, but for my case I'd like to use IP blacklisting.

>>> At some point it affects performance. There are some workarounds.
>>> What problem are you trying to solve? What causes you to block an
IP?

>I second the suggestion about running SSHD on a different port. It's
>removed all my script kiddie attacks.   See /etc/ssh/sshd_config to
enable.

Moving ssh to a different port seems to be the easiest way, but
eventually
the scripts find the new port and start whacking it instead -- iptables
blocking is IMNSHO, a "better way" -- in that they can be logged --
useful
when you call in the feds.  (Of course honeypots are even better....)

This is what I have done to block over 2400 ip blocks with no
performance
hit measurable.  Of course, I whitelist some very common blocks first,
so
they avoid any delays, and most everyone else SHOULD be blocked so a
delay I
care not about.  Snippets only...

-A INPUT -i eth1 -d MY.EXTERNAL.IP -j ext_in

-A ext_in -p tcp -m tcp --dport 22 -j sshblock

-A sshblock -s G.0.0.D/I.P.BLCK.1 -j ACCEPT
-A sshblock -s G.0.0.D/I.P.BLCK.2 -j ACCEPT
-A sshblock -s 0.0.0.0/192.0.0.0 -j sshblock0
-A sshblock -s 64.0.0.0/192.0.0.0 -j sshblock64
-A sshblock -s 128.0.0.0/192.0.0.0 -j sshblock128
-A sshblock -s 192.0.0.0/224.0.0.0 -j sshblock192
-A sshblock -s 224.0.0.0/224.0.0.0 -j sshdrop
-A sshblock -j ACCEPT

sshblock0 gets addresses in 0.0.0.0 through 63.255.255.255
sshblock64 gets addresses in 64.0.0.0 through 127.255.255.255
sshblock128 gets addresses in 128.0.0.0 through 191.255.255.255
sshblock192 gets addresses in 192.0.0.0 through 223.255.255.255
224.0.0.0 through 255.255.255.255 goes to sshdrop (which logs as
"DROPPED_SSH_PACKET " and drops)

To help performance even further, the SYN flag can be added to the check
for
port 22 above, provided a "RELATED,ESTABLISHED" line exists in the same
chain.

I forgot the URL, but there is a site that has a database of IP block
assignments.  I periodically go to that site and download the blocks for
countries I NEVER want to receive email or ssh connections from, like
CN,
KR, MY, VN, FR, TW, BR, etc, and add them to the sshblock and smtpblock
lists.

--
Michael


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux