Blocking Ip address ranges

Wed Jan 26 04:30:31 UTC 2005

On Tuesday 25 January 2005 13:41, Tim Alberts wrote:
>I thought portsentry, hostsentry, logsentry (aka trisentry) were
> bought up and licensing issues ensued.  I've seen them being
> maintained at sourceforge, but only logcheck and portsentry have
> downloads and updates haven't been posted in almost 2 years?  Are
> these programs still useable?

I haven't tried them on a modern system (read FC3) but portsentry-1.1, 
tcpwrappers, and iptables have all been standing guard on my old 
RH7.3 firewall box for several years now.  Since I put in a linksys 
router (got a dsl connection nowadays), only one hit has been logged 
in 2 years.  And that one got in because it came from one of verizons 
own dns servers, so it was a known address to the router.  Portsentry 
killed the attempt on the first syn-not-ack packet.  End of story.  2 
years...  I'd say thats pretty good. :)

>I've also heard that snort.org is an outstanding program with great
>capabilities.  I've haven't personally learned how to use it yet. 
> You can actually find books on Amazon etc how to use this pig...and
> from what I've read, it is a pig to configure and work with...
>
>On Wed, 2005-01-26 at 07:29 +1300, Banjo Mailing List wrote:
>> Or use portsentry. if you need any help how to do it tell me
>>
>>
>> On Tue, 25 Jan 2005 12:56:15 -0500, Deron Meranda
>>
>> <deron.meranda at gmail.com> wrote:
>> > > I'm thinking of setting up a rule in Iptables to point to a
>> > > file which I can easily add the IP addresses that I need
>> > > to block. Is this possible and what would be the syntax?
>> >
>> > If you really want to set up something so you can block a large
>> > number of IP addresses and you have the patience to keep up, yes
>> > you could set up some simple scripts to help you automate the
>> > iptables config.
>> >
>> > Note though that you'll probably want to structure iptables with
>> > several chains to help reduce the inefficiency caused by a large
>> > number of rules.  For example, you might want a separate chain
>> > for each of the possible 256 first-octets.  This should get you
>> > started and give you some ideas (it can be improved upon too).
>> >
>> > iptables -N web_block_1
>> > iptables -N web_block_2
>> > ...
>> > iptables -N web_block_255
>> >
>> > Then create a chain just to dispatch these (so non-web traffic
>> > doesn't have to go through all these rule checks),
>> >
>> > iptables -N web_block
>> >
>> > Then link it into your input chain too,
>> >
>> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block
>> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block
>> >
>> > Finally in your web_block chain dispatch for each octect,
>> >
>> > iptables -A web_block -s 1.0.0.0/8 -j web_block_1
>> > iptables -A web_block -s 2.0.0.0/8 -j web_block_2
>> > ...
>> > iptables -A web_block -s 255.0.0.0/8 -j web_block_255
>> >
>> > Then you'd add specific IP addresses (or netblocks), as
>> >
>> >   iptables -A block_192 -s 192.168.1.1 -j REJECT
>> >
>> > Also if your script updates, be sure to also run iptables_save
>> > so your entries survive reboot.
>> >
>> > Keep in mind though that iptables blocking is the *harsh*
>> > way to do this.  Less drastic would be to 1. ignore the logs,
>> > 2. reduce the logging level, 3. look at Apache's Deny
>> > directive.
>> > --
>> > Deron Meranda
>> >
>> > --
>> > fedora-list mailing list
>> > fedora-list at redhat.com
>> > To unsubscribe:
>> > http://www.redhat.com/mailman/listinfo/fedora-list

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.32% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com attorneys please note, additions to this message
by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.