Blocking Ip address ranges

Tim Alberts talberts at msiscales.com
Tue Jan 25 18:41:15 UTC 2005 

I thought portsentry, hostsentry, logsentry (aka trisentry) were bought
up and licensing issues ensued.  I've seen them being maintained at
sourceforge, but only logcheck and portsentry have downloads and updates
haven't been posted in almost 2 years?  Are these programs still
useable?

I've also heard that snort.org is an outstanding program with great
capabilities.  I've haven't personally learned how to use it yet.  You
can actually find books on Amazon etc how to use this pig...and from
what I've read, it is a pig to configure and work with...



On Wed, 2005-01-26 at 07:29 +1300, Banjo Mailing List wrote:
> Or use portsentry. if you need any help how to do it tell me
> 
> 
> On Tue, 25 Jan 2005 12:56:15 -0500, Deron Meranda
> <deron.meranda at gmail.com> wrote:
> > > I'm thinking of setting up a rule in Iptables to point to a
> > > file which I can easily add the IP addresses that I need
> > > to block. Is this possible and what would be the syntax?
> > 
> > If you really want to set up something so you can block a large number
> > of IP addresses and you have the patience to keep up, yes you could
> > set up some simple scripts to help you automate the iptables config.
> > 
> > Note though that you'll probably want to structure iptables with several
> > chains to help reduce the inefficiency caused by a large number of
> > rules.  For example, you might want a separate chain for each of the
> > possible 256 first-octets.  This should get you started and give you some
> > ideas (it can be improved upon too).
> > 
> > iptables -N web_block_1
> > iptables -N web_block_2
> > ...
> > iptables -N web_block_255
> > 
> > Then create a chain just to dispatch these (so non-web traffic
> > doesn't have to go through all these rule checks),
> > 
> > iptables -N web_block
> > 
> > Then link it into your input chain too,
> > 
> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block
> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block
> > 
> > Finally in your web_block chain dispatch for each octect,
> > 
> > iptables -A web_block -s 1.0.0.0/8 -j web_block_1
> > iptables -A web_block -s 2.0.0.0/8 -j web_block_2
> > ...
> > iptables -A web_block -s 255.0.0.0/8 -j web_block_255
> > 
> > Then you'd add specific IP addresses (or netblocks), as
> > 
> >   iptables -A block_192 -s 192.168.1.1 -j REJECT
> > 
> > Also if your script updates, be sure to also run iptables_save
> > so your entries survive reboot.
> > 
> > Keep in mind though that iptables blocking is the *harsh*
> > way to do this.  Less drastic would be to 1. ignore the logs,
> > 2. reduce the logging level, 3. look at Apache's Deny
> > directive.
> > --
> > Deron Meranda
> > 
> > --
> > fedora-list mailing list
> > fedora-list at redhat.com
> > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> >
>

More information about the fedora-list mailing list