Jump to content

Firewall with timed blocking? [solved]


uralmasha
 Share

Recommended Posts

Hi!

 

I looked at /var/log/auth and discovered that there is someone(s) trying to log in in my machine via ssh, apparently using a dumb password permutations, with 30-35 times per minute.

 

I have a firewall in the router already, and shorewall is running as well, but some ports like 22 I need myself, so I cannot just close them.

 

Is there a possibiliy to block some IPs for awhile automatically after say N attempts to log in? Wouldn't like to make that example, but on Wi... another operating system, Norton Firewall does just that: block suspiciously active IP's for half an hour (not for attmpting to log in, but for port scans, but still).

 

It would be nice and saved some tons of packages sent over the internet.

 

I use Mandriva LE, shorewall is running. There is a small database and web server on the machine that is always on-line.

Edited by uralmasha
Link to comment
Share on other sites

Try the psad portscan detector at http://www.cipherdyne.org/psad/

 

Perhaps, you may want to try some security through obscurity by configuring sshd to make it listen to another port. Most ssh clients let you specify another port to connect to.

 

I forgot to mention the iptables psd (portscan detection) match. See its description at http://www.netfilter.org/patch-o-matic/pom-base.html

I haven't tried it (Status: Stable for 2.4.x)

Edited by mrmagoo
Link to comment
Share on other sites

mrmagoo,

 

thank you. I looked at the psd match that you recommended. I believe this is not exactly what I wanted, although I may need it later, too. My concern so far is only about brute-force attacks.

 

Nevertheless, your link brought me to another iptables match: "recent" (and the right keywords to dig further).

 

For future reference:

In this thread of netfilter mailing list there is a script that does just that: blocks a nuisance IP for awhile.

 

Thank you!

 

Update:

If someone are using Shorewall, they might also be interested in the Shorewall action script that does the same thing:

1. Shorewall mailing list or 2. Jürgen Kreileder blog

 

Both are quite similar and won't work with the 2.0 version shipped with Mandriva LE, but on the shorewall home page there is a pointer to the Mandriva RPMs of version 2.4.

Edited by uralmasha
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...