Re: Blocking attacks from spoofed IP addresses



On Thu, 01 Oct 2009 14:48:54 -0500, ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

On Thu, 01 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <aog8c5t75j6fnr4ksb5v81ick5cqi0j4ul@xxxxxxx>, Grant wrote:

....
Sometimes I do a 'whois' on what looks like related IPs and ban entire
CIDR blocks at the firewall (a linux box with bridged modem). Just
checked, only 38 banned blocks collected over the last couple years,
so it's not a big ask for iptables to do that.

Two thoughts - what are you "offering" to the world, and what are you
trying to defend against.

Anonymous ftp + hhtp. Defending against too much traffic :) So
there's firewall rules that disable any IP after too many hits (over
time) on offered services, single hits on ssh (just on principle, I
rarely offer ssh, and than it's to known IP or IP block).

... You speak of 38
banned blocks, which would be the "mostly open" situation, while I
accept connections from 3 blocks (blocking all else by default) which
would be the "mostly closed" situation.

Banned blocks mostly from annoying web crawlers that don't honour
the web 'robots.txt' file -- like the recently new Chinese crawler.

Or web site rippers. Once it was some script kiddies from NL playing
with a web form -- after I used their crap traffic to refine a quota
system I blocked the IP, then the IP block when the traffic changed IPs.

....
Oh, and the port-knocking may run
into those same 'blocked by the corporate firewall' rules that made
it impractical to move your server to an obscure port.

Maybe one could knock the http (or 8000 port area) port? A custom
..cgi could do anything one wanted, no?

Haven't done port knocking yet as I've not yet needed to offer
'random' access for ssh :)

Grant.
--
http://bugsplatter.id.au
.



Relevant Pages

  • Re: Mac `owned in hacking competition
    ... the router's port forwarding rules. ... The firewall or a NAT router only stops connections initiated from ... ssh will let you set up forwarded ports in both ... You start an ssh session from the target machine (this is ...
    (uk.comp.sys.mac)
  • RE: ssh attempts
    ... Change the port to something different than port 22. ... Subject: Re: ssh attempts ... > forget the excellent iptables firewall you probably already have on ... >>> Computer Emergency Response Teams, ...
    (Security-Basics)
  • Re: Reverse Shell?
    ... >> behind a firewall so I can't ssh into their computer. ... > follow the tunnel back to their machine and then help them. ... Connections to that port will be forwarded through the ...
    (Debian-User)
  • Re: need help for setting SSH Server for Windows XP
    ... In my windows firewall proper ports are opened. ... Changing from port 22 to ports 80, 443 also doesn't give any results. ... static LAN IP of the server PC. ... It is *NOT* a valid test to call the SSH server PC from another ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Tunneling over ssh with termination by the FW
    ... I would use something like Putty (ssh client software) to open a secure ... tunnel with the firewall. ... If the firewall has the sshd running on port ...
    (SSH)