Re: Limit the number of erroneous logins of root from the same IP

On Mon, 21 Nov 2011, in the Usenet newsgroup alt.os.linux.redhat, in article
<jaebkg$mam$2@xxxxxxxxxxxxxxxxxx>, dold@xxxxxxxxxxxxxxxx wrote:

Moe Trin <ibuprofin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

In the firewall - set the default inbound to DROP or REJECT, and
then add the needed rules to connect those IPs or IP ranges you
want to give access to. In my case, that boils down to just five
total lines.

For me as well. I have one outside IP address that I can log into
from anywhere. That ISP uses a limit of some sort, with a telnet
knock to reopen for a locked address. From that login, I can go to
my home machine,a nd adjust the allowed list to include my new location

One technique that was used was basic port-knocking. You set up the
firewall to block everything inbound, and monitor some rarely used
port - heck, how about 53/tcp as a poor example. To connect, you first
try a quicky 'telnet your.host 53' - you won't connect, but the
firewall can be configured to open your 22/tcp for packets from that
IP for one minute only. Now, you've got one minute to "log in" (once
you established a TCP connection, the "ESTABLISHED" rule in the firewall
maintains _that_ connection). If you don't log in, the firewall closes
the 22/tcp hole, and we're back to normal. As the firewall is ONLY
permitting "that" host (or any other that first tries to hit 53/tcp in
this example), the rest of the world doesn't exist. This is NOT
"security by obscurity" because once you knock, you STILL have to
authenticate by what-ever means you've got the server set to, AND you've
got one minute to do so.

A problem with this is that a lot of places have put outbound blocks
on ``non-standard'' ports. The classic port-knocking scheme was to
knock a series of ports in a specific order, in a specific time, and
that _substituted_ for authentication (bad idea). My company used
this scheme in the 1980s, but eventually ran into remote facilities
with outbound blocks - blocking ports we needed to knock. We got
around that for a while, using ports less likely to be blocked before
replacing the scheme with something else.

for ways to get the firewall simple and solid.

I got the impression from this thread that hosts.allow was more
current. If not, then I'm happy with the iptables.

[euclid ~]$ tar -zvtf /net/james-webb/sources/tcp_wrappers_7.6.tar.gz |
cut -c32-42 | sort | uniq -c | column
1 1993-09-11 1 1995-01-03 2 1996-03-19
2 1994-03-23 1 1995-01-08 4 1997-02-11
22 1994-12-28 2 1995-01-30 8 1997-03-21
1 1994-12-31 9 1996-02-11 2 1997-04-07
1 1995-01-02 1 1996-02-21
[euclid ~]$ zgrep -l iptables /net/james-webb/kernel/ChangeLog-3*
/net/james-webb/kernel/ChangeLog-3.0.gz
[euclid ~]$ zgrep -l netfilter /net/james-webb/kernel/ChangeLog-3*
/net/james-webb/kernel/ChangeLog-3.0.5.gz
/net/james-webb/kernel/ChangeLog-3.0.gz
/net/james-webb/kernel/ChangeLog-3.1-rc1.gz
/net/james-webb/kernel/ChangeLog-3.1-rc2.gz
/net/james-webb/kernel/ChangeLog-3.1.gz
[euclid ~]$

tcp_wrappers has some nice features, but it's been unmaintained for
close to 14 years. The firewall code is part of the kernel, and is
under on-going development.

Old guy
.

Relevant Pages

  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-questions)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-current)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: iptables configuration
    ... >> that if a 'virus/trojan' initiated a connection to the net, the firewall ... >> would not protect the LAN. ... The LAN is NATed with private IPs to one public IP. ... the ports that are used by services running on linux. ...
    (comp.os.linux.security)
  • Re: Norton Personal Firewall 2003
    ... |> First thing I would do is put the GRC test site into the Exclusions ... | ports they will not get the same result being in my blocklist, ... the firewall checks unsolicited inbound communications attempts. ...
    (comp.security.firewalls)