Re: iptables with logging vs denyhosts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/07/2015 05:07 AM, sberg@xxxxxxxxxxxxxxx wrote:
Have you looked at fail2ban?  It watches /var/log/secure for break in attempts/failed logins and dynamically adds iptables rules to block the bad guys.  It will do (automatically) pretty much what you're doing manually.
Thanks for your quick response.
Looked at fail2ban per your recommendation. It does monitor more ports than denyhosts. So I looked at how many different ports have been attacked on my computer, a total of over 4200.

Are these additional ports of no consequence? Or is it still good to lock the requesting ip address out?

You did not say whether my ip table setup was adequate or not so I presume that it is.

Thanks,

David


----- Original Message -----
From: dwoody5654 [mailto:dwoody5654@xxxxxxxxx]
To: users@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Mon, 06 Jul 2015 22:35:51 -0500
Subject: iptables with logging vs denyhosts

I have been using denyhosts for almost a year. To date I have only 
prevented one person logging in and that is ME ( I used the wrong login 
name).
Also, I know of no successful break-ins.

My iptables is as follows:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N block
-A INPUT -j block
-A FORWARD -j block
-A block -i wifi_card -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_external -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_enternal -j ACCEPT
-A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A block -i lo -m conntrack --ctstate NEW -j ACCEPT
-A block -j DROP

First, I think that the above will keep the bad guys out, Is that a true 
statement?

Sencondly, I have added a LOG rule just above the DROP rule and I have 
been monitoring it for about 1 1/2 weeks. As each entry is logged I have 
been adding it to /etc/hosts.deny. Currently there are 4318 ip adresses 
in the file and the number of packets that have been logged is 51592.

Denyhosts is for stopping ssh attempts and nothing else as I understand it.

Having over 4300 lines in /etc/hosts.deny causes almost no delay in 
logging in remotely.

Am I being to paranoid about keeping the bad guys out or is the iptable 
above completely adequate?

I would very much like to here your opinion on this,

David




-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux