On Tuesday 25 January 2005 13:41, Tim Alberts wrote: >I thought portsentry, hostsentry, logsentry (aka trisentry) were > bought up and licensing issues ensued. I've seen them being > maintained at sourceforge, but only logcheck and portsentry have > downloads and updates haven't been posted in almost 2 years? Are > these programs still useable? I haven't tried them on a modern system (read FC3) but portsentry-1.1, tcpwrappers, and iptables have all been standing guard on my old RH7.3 firewall box for several years now. Since I put in a linksys router (got a dsl connection nowadays), only one hit has been logged in 2 years. And that one got in because it came from one of verizons own dns servers, so it was a known address to the router. Portsentry killed the attempt on the first syn-not-ack packet. End of story. 2 years... I'd say thats pretty good. :) >I've also heard that snort.org is an outstanding program with great >capabilities. I've haven't personally learned how to use it yet. > You can actually find books on Amazon etc how to use this pig...and > from what I've read, it is a pig to configure and work with... > >On Wed, 2005-01-26 at 07:29 +1300, Banjo Mailing List wrote: >> Or use portsentry. if you need any help how to do it tell me >> >> >> On Tue, 25 Jan 2005 12:56:15 -0500, Deron Meranda >> >> <deron.meranda@xxxxxxxxx> wrote: >> > > I'm thinking of setting up a rule in Iptables to point to a >> > > file which I can easily add the IP addresses that I need >> > > to block. Is this possible and what would be the syntax? >> > >> > If you really want to set up something so you can block a large >> > number of IP addresses and you have the patience to keep up, yes >> > you could set up some simple scripts to help you automate the >> > iptables config. >> > >> > Note though that you'll probably want to structure iptables with >> > several chains to help reduce the inefficiency caused by a large >> > number of rules. For example, you might want a separate chain >> > for each of the possible 256 first-octets. This should get you >> > started and give you some ideas (it can be improved upon too). >> > >> > iptables -N web_block_1 >> > iptables -N web_block_2 >> > ... >> > iptables -N web_block_255 >> > >> > Then create a chain just to dispatch these (so non-web traffic >> > doesn't have to go through all these rule checks), >> > >> > iptables -N web_block >> > >> > Then link it into your input chain too, >> > >> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 80 -j web_block >> > iptables -I INPUT -i eth0 -m tcp -p tcp --dport 443 -j web_block >> > >> > Finally in your web_block chain dispatch for each octect, >> > >> > iptables -A web_block -s 1.0.0.0/8 -j web_block_1 >> > iptables -A web_block -s 2.0.0.0/8 -j web_block_2 >> > ... >> > iptables -A web_block -s 255.0.0.0/8 -j web_block_255 >> > >> > Then you'd add specific IP addresses (or netblocks), as >> > >> > iptables -A block_192 -s 192.168.1.1 -j REJECT >> > >> > Also if your script updates, be sure to also run iptables_save >> > so your entries survive reboot. >> > >> > Keep in mind though that iptables blocking is the *harsh* >> > way to do this. Less drastic would be to 1. ignore the logs, >> > 2. reduce the logging level, 3. look at Apache's Deny >> > directive. >> > -- >> > Deron Meranda >> > >> > -- >> > fedora-list mailing list >> > fedora-list@xxxxxxxxxx >> > To unsubscribe: >> > http://www.redhat.com/mailman/listinfo/fedora-list -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.32% setiathome rank, not too shabby for a WV hillbilly Yahoo.com attorneys please note, additions to this message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
