PDA

View Full Version : Using /etc/hosts.deny to block one IP simply



capnqwest
30th January 2005, 09:25 AM
Jan 29 00:45:02 localhost sshd[25443]: Failed password for root from ::ffff:207.96.146.43 port 45599 ssh2
Jan 29 00:45:12 localhost sshd[25447]: Address 207.96.146.43 maps to smtp2.visic.com, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!

I've got this one machine that hammers my FC3 box sometimes up to 30,000 times per day and of course I'd like to block him. According to my security logs, he's the only threat at this point so I figured that just putting his host in my /etc/hosts.deny file would be the simplest solution. On this box, I'm running SSHD, HTTPD and a Samba server so I obviously need those ports open.

My question is whether or not my syntax is correct in my deny file. I've Googled the hell out of this but haven't seen a clear example. Here is my file:

# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
207.96.146.43.deny

Is that correct if I just want to keep Mr. 207.96.146.43 out?

tk
30th January 2005, 09:31 AM
not 100% sure if sshd even respects /etc/hosts.deny... also didn't use it for years... the way to handle this kind of stuff is to:
- install apf firewall
- apf -d IP will ban this IP permanently

capnqwest
30th January 2005, 09:40 AM
Thanks Boobay, apf was incredibly simple and already it seems to have foiled 207.96.146.43!!

[root@localhost /]# apf -d 207.96.146.43
Inserted into firewall: Deny all to/from 207.96.146.43

tk
30th January 2005, 09:45 AM
glad it worked... just for the record for other users:
apf firewall can be downloaded here: http://www.rfxnetworks.com/apf.php

capnqwest
31st January 2005, 06:54 AM
Uh oh. I had to reboot my machine today and it just hangs at Starting apf:. I've tried over and over but my box just won't boot. APF is the only thing I had installed or changed since I last rebooted. I'm going to do some searching on the R-fx forum but has anyone else had this problem? Can I boot without loading APF so I can try and figure out what's going on?

Whip-lash
31st January 2005, 07:13 AM
For problems like this I keep track of the offending IP or network block owner and when it happened, then place the IP or CIDR range in a specific ruleset in /etc/sysconfig/iptables:

-A ATTACKERS -s 1.2.3.4 -j REJECT

... then reset the iptables service. After a period of time, I then clean out old blocks (especially those on dynamic IP ranges). Perhaps not the best way, but it's simple enough. :)