ipset can eliminate the performance penalty of long lists <><Randall Grimshaw Room 203 Machinery Hall Syracuse University Syracuse, NY 13244 315-443-5779 rgrimsha@xxxxxxx >>> mikepb@xxxxxxxxxxx 07/28/06 7:08 PM >>> HA! I TOP-POSTED!!!! So SHOOT ME! >>>> I know that the preferred way of controlling access is to use >>>> whitelists, but for my case I'd like to use IP blacklisting. >>> At some point it affects performance. There are some workarounds. >>> What problem are you trying to solve? What causes you to block an IP? >I second the suggestion about running SSHD on a different port. It's >removed all my script kiddie attacks. See /etc/ssh/sshd_config to enable. Moving ssh to a different port seems to be the easiest way, but eventually the scripts find the new port and start whacking it instead -- iptables blocking is IMNSHO, a "better way" -- in that they can be logged -- useful when you call in the feds. (Of course honeypots are even better....) This is what I have done to block over 2400 ip blocks with no performance hit measurable. Of course, I whitelist some very common blocks first, so they avoid any delays, and most everyone else SHOULD be blocked so a delay I care not about. Snippets only... -A INPUT -i eth1 -d MY.EXTERNAL.IP -j ext_in -A ext_in -p tcp -m tcp --dport 22 -j sshblock -A sshblock -s G.0.0.D/I.P.BLCK.1 -j ACCEPT -A sshblock -s G.0.0.D/I.P.BLCK.2 -j ACCEPT -A sshblock -s 0.0.0.0/192.0.0.0 -j sshblock0 -A sshblock -s 64.0.0.0/192.0.0.0 -j sshblock64 -A sshblock -s 128.0.0.0/192.0.0.0 -j sshblock128 -A sshblock -s 192.0.0.0/224.0.0.0 -j sshblock192 -A sshblock -s 224.0.0.0/224.0.0.0 -j sshdrop -A sshblock -j ACCEPT sshblock0 gets addresses in 0.0.0.0 through 63.255.255.255 sshblock64 gets addresses in 64.0.0.0 through 127.255.255.255 sshblock128 gets addresses in 128.0.0.0 through 191.255.255.255 sshblock192 gets addresses in 192.0.0.0 through 223.255.255.255 224.0.0.0 through 255.255.255.255 goes to sshdrop (which logs as "DROPPED_SSH_PACKET " and drops) To help performance even further, the SYN flag can be added to the check for port 22 above, provided a "RELATED,ESTABLISHED" line exists in the same chain. I forgot the URL, but there is a site that has a database of IP block assignments. I periodically go to that site and download the blocks for countries I NEVER want to receive email or ssh connections from, like CN, KR, MY, VN, FR, TW, BR, etc, and add them to the sshblock and smtpblock lists. -- Michael -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
