blocking attacks with shorewall+denyhosts (was Re: iptables out of memory?)

Tom Buskey tom at buskey.name
Fri Jan 30 08:45:02 EST 2009


On Thu, Jan 29, 2009 at 5:57 PM, Alan Johnson <alan at datdec.com> wrote:

> On Thu, Jan 29, 2009 at 5:05 PM, Tom Buskey <tom at buskey.name> wrote:
>
>> denyhosts is a python script that goes though your /var/log/secure file
>> looking for sshd logging info.
>>
>> It adds the "bad hosts" to hosts.deny to prevent ssh login attempts.
>> Entries can be permanent or temporary.
>>
>> Umm, yum info denyhosts on my Fedora 10 box.
>>
>> It might be possible to use/modify it for SMTP use?
>> There's a plugin for shorewall.
>>
>
> Very sweet!  I'll have to look into that. I've had good experience with
> shorewall in the past, and there is a nice webmin module for it, but I've
> been holding off in this case it since iptables is easy enough to use for my
> simple IPA blocks, and I expect better perfomance with iptables since it is
> built into the kernel, but I don't really know.


Well, denyhosts just monitors for ssh attempts.  When I ran on the standard
port, I racked up 250 denied IP addresses.  I never purged.

I love the idea of a failed-login monitor that hooks into shorewall.  I
> dreaming of a single box on the edge with a syslog server pulling logs from
> all exposed machines and log monitors blocking offending IPAs for excessive
> login failures, spamhaus listing, and any other security violation one can
> find, right in shorewall, then clearing them out after some appropriate time
> out.
>

You might want to look at something like Snort also.

I had a guy working for me who did something similar with pam modules once,
> but it was a major time sink for some one uninitiated to pam, as he was and
> I am, so I have not bothered to try and replicate it.  I think it is better
> to block in a firewall anyway, because dropping packets slows the attacker
> down more than denying a login.  Well, maybe not if you have a long failed
> log-in time out, but that could get annoying quick for legit users.  Also,
> it puts less load on the server, if you can keep the number of rules
> reasonable, as I have learned in this thread.  If you have one box at the
> edge handling the firewall, it keeps the blocking load completely off the
> servers, many rules or not.  You'd have to watch for packet latency though.



You can have some rules up front that ID the problems & kinda branch.  Deal
with the quick things 1st & do the more resource intensive packets later in
the rules.  At least, I've seen it done with ipfilter and ipf on OpenBSD.  I
think ipfilter has been ported to Linux.  It's on everything else.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20090130/f67a02b4/attachment-0001.html 


More information about the gnhlug-discuss mailing list