|
Setting up a Firewall in RedHat Linux using IPTables
Part 3 - Keeping the Riff Raff Out
Written by Tony
Bhimani
October 4, 2004
Requirements
RedHat Linux 9
iptables 1.2.7a
There will be times when people will try to gain unauthorized access
to your server. It happens on a daily basis with one of my servers. Every
morning when I wake I check my mail and get my LogWatch results. Several
attempts are made on SSH and of course all attempts failed. I get their
IP and block it (or their entire network).
Here are some real attempts reported by LogWatch on September 28, 2004.
--------------------- SSHD Begin ------------------------
Failed logins from these:
admin/password from 216.67.239.62: 2 Time(s)
guest/password from 216.67.239.62: 1 Time(s)
root/password from 216.67.239.62: 952 Time(s)
test/password from 216.67.239.62: 5 Time(s)
user/password from 216.67.239.62: 1 Time(s)
**Unmatched Entries**
Illegal user test from 216.67.239.62
Illegal user guest from 216.67.239.62
Illegal user admin from 216.67.239.62
Illegal user admin from 216.67.239.62
Illegal user user from 216.67.239.62
Illegal user test from 216.67.239.62
Illegal user test from 216.67.239.62
Illegal user test from 216.67.239.62
Illegal user test from 216.67.239.62
---------------------- SSHD End -------------------------
These are the pitfalls of running a server. There is always some lamer
trying to get into your box to do who knows what. So what can you do?
Well, you can always try reporting their activity to their ISP, but that
usually gets you no where. You send an email to their abuse department
and you never hear back from them. Your other option is to be proactive
and take matters into your own hands (i.e. block them).
In part
2 of the tutorial I used my RedHat 7.3 box to attempt connections
to some services such as MySQL on port 3306 and HTTP on port 80. The connection
to port 3306 failed because we didn't open it, whereas the connection
to port 80 succeeded. We will now assume that the RedHat 7.3 box is a
host we don't want any connections from whatsoever. We'll be blocking
it's IP and then later block a range of IP's.
Go back to /etc/sysconfig and open the iptables rules file in vi.
cd /etc/sysconfig
vi iptables
Scroll to the line below *filter and put a blank line. Type
this in.
# block the riff raff
-A INPUT -i eth0 -s 192.168.1.104 -j DROP
192.168.1.104 is the IP address of my RedHat 7.3 box. You would replace
it with the IP of the attacker.
Your screen should look similar to this.
Save your changes and exit vi. Then reload your rules.
/sbin/iptables-restore < ./iptables
Any connections from the blocked IP should now get dropped and they will
receive connection time outs.
That's it for blocking a single IP. Now we will block a range of IP's
and to do that we use subnets. Let's say we want to block the last octet
(i.e. 192.168.1.x - 0 through 255). We would change our blocking rule
to this.
# block the riff raff
-A INPUT -i eth0 -s 192.168.1.0/24 -j DROP
Change your iptables rules file, save it, and reload the rules.
Now I am going to attempt a connection from 192.168.1.202 using my laptop.
And it failed as we expected.
As I mentioned at the start of this tutorial, iptables is capable of
much more than I have presented here. If you are interested in learning
more about iptables and subnetting, these sites should get you started.
Iptables
Tutorial
IP Subnetting Tutorial
This wraps up the tutorial and I hope you found it useful in some manner.
|
[ Previous Page ]
[ 1 ]
[ 2 ]
[ 3 ]
|
This page has been viewed 3,817 times |
|
![[XenoCafe Logo] Click for Homepage](/images/XenoCafe_logo.gif){kind=logo}
