A major problem facing by mail server admin is DOS (Deniel Of Service) attack. Hackers will try to mess up with the most popular ports of a UNIX/LINUX machines. We can prevent this my writing an IPTABLE rule in the server. The working is ,if some one is trying make connection continuously through a specified port the rule will block the IPADDRESS permanently. Here I am stating the securing of PORT 25 (SMTP) here you can use your own
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
This will Block all the IP ADDRESS which will make connection to port 25 continuously within ie 4 SMTP connection within 60 seconds. You can change PORT,INTERVALs here.
We can also log these ips as well and use for future purpose for example,if you would like to add these logged IP to TCPWRAPPER etc.
Do the following.
Firts of all Set your Log Daemon to log the IPTABLES
# vi /etc/syslog.conf
Add the following line at the end of the file
#kern.warning /var/log/iptables.log
#touch /var/log/iptables.log
Restart the System Log Service
#/etc/init.d/syslog restart (On Redhat based,Centos)
iptables -A INPUT -j LOG --log-level 4
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 25 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP --log-prefix '** HACKERS **'--log-level 4
PERFECT. THE HACKERS ARE BEING LOGGED NOW !!!.
The next stage is to add these logged ips to TCPWRAPPER (/etc/hosts.deny).
#/bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt
The above line will grep the SOURCE ip from the log and append to badip.txt
Next Run this command as a frequent interval with the help of CRON
#vi /etc/crontab
*/1 * * * * root /bin/cat /var/log/iptables.log | awk '{print $9}' | cut -f2 -d "=" >> /root/badip.txt
Here the script will run in every minutes. The file will be grow up rapidly to heavy size if your server have heavy traffic. So CleanUP the file in a frequent intervals. Better setup another CRON for it.
Next to add these IPs in the hosts.deny file
#vi /etc/hosts.deny
SSHD:/root/badip.txt
So things are clear. The first CRON job will update the file badip.txt list, as well as it will blocked by TCPWRAPPER.
Sep 15, 2008
Subscribe to:
Post Comments (Atom)
9 comments:
This war really good.
But 4 connections in 60 seconds - is it a realistic scenario or is 3 per 60 seconds make it more safer?
I also have another requirement:
I want IP's and MAC addresses of hosts who fail the above criteria to get automatically added in the hosts.deny list.
How could I do this?
Thanks
Hm... So if I'm a bad guy and I send you a few TCP SYN packets with a spoofed source address, can't I pretty much cause your firewall to permanently drop packets from a legitimate mail server?
yes. you are right. This is a problem :)
would adding legitimate server IPs to hosts.allow resolve the problem? I guess not coz they would still be in the hosts.deny list.
Hi. Newbee as you guess.
I got:
iptables v1.3.6: Unknown arg `--log-prefix'
Try `iptables -h' or 'iptables --help' for more information.
I've just upgraded debian packages. some little help?
Ugur
No problem with that error. I think its already start to logging the packet.
check /var/log/messages
I don't think so :(. I can't see the entry when iptables --list.
nothing for:
iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 120 --hitcount 90 -j DROP --log-prefix '** HACKERS **' --log-level 4
Adding the legitimate server IPs to /etc/hosts.allow should resolve the problem mentioned by Richard, because /etc/hosts.allow is processed first, and if no matches are found from there, then /etc/hosts.deny is processed and the first match denies access. If no match is found neither from the /etc/hosts.deny, then access is allowed by default.
Please, correct me, if I am wrong.
thank's. That's help me. Btw how to block Download Accelerator Plus (DAP) with iptables or the other with Linux ? I use GNU/Linux Debian Lenny
Thx b4
Post a Comment