blocking attacks with shorewall+denyhosts (was Re: iptables out of memory?)
Alan Johnson
alan at datdec.com
Thu Jan 29 17:57:24 EST 2009
On Thu, Jan 29, 2009 at 5:05 PM, Tom Buskey <tom at buskey.name> wrote:
> denyhosts is a python script that goes though your /var/log/secure file
> looking for sshd logging info.
>
> It adds the "bad hosts" to hosts.deny to prevent ssh login attempts.
> Entries can be permanent or temporary.
>
> Umm, yum info denyhosts on my Fedora 10 box.
>
> It might be possible to use/modify it for SMTP use?
> There's a plugin for shorewall.
>
Very sweet! I'll have to look into that. I've had good experience with
shorewall in the past, and there is a nice webmin module for it, but I've
been holding off in this case it since iptables is easy enough to use for my
simple IPA blocks, and I expect better perfomance with iptables since it is
built into the kernel, but I don't really know.
I love the idea of a failed-login monitor that hooks into shorewall. I
dreaming of a single box on the edge with a syslog server pulling logs from
all exposed machines and log monitors blocking offending IPAs for excessive
login failures, spamhaus listing, and any other security violation one can
find, right in shorewall, then clearing them out after some appropriate time
out.
I had a guy working for me who did something similar with pam modules once,
but it was a major time sink for some one uninitiated to pam, as he was and
I am, so I have not bothered to try and replicate it. I think it is better
to block in a firewall anyway, because dropping packets slows the attacker
down more than denying a login. Well, maybe not if you have a long failed
log-in time out, but that could get annoying quick for legit users. Also,
it puts less load on the server, if you can keep the number of rules
reasonable, as I have learned in this thread. If you have one box at the
edge handling the firewall, it keeps the blocking load completely off the
servers, many rules or not. You'd have to watch for packet latency though.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20090129/3dd13847/attachment.html
More information about the gnhlug-discuss
mailing list