Re: iptables & tcp wrappers

On Fri, 2004-09-24 at 15:57, Meatplow wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hello.
>
> I'm running RH Enterprise edition.
>
> I'm relatively new to iptables.  I am getting the common intrusion
> attempts with some  of the common uses of test/guest/root/ and a
> couple others   I've been able to add the IPs to the to iptables.,
> but

Im getting also frequent attempts to log into ssh on some servers using
those exact usernames from different ip's. Its it a worm or just some
new h4x0r tool ? anyone ?

> I'd really like a log that tells me the info that I want to know.

What info do you want to know ?

> My basic input command is this :
> #iptables -A INPUT -p tcp -s PUT_IP_HERE -d 0/0  --syn -j DROP
>
> iptables seem a little convoluted.  Example.  To delete  a line -
> supposedly give it a line and it will be deleted/modified.  My
> problem is even with #iptable -L -v there is no line number ?

I dont know about line nnumbers but you could try just deleting the
existing rule like this:

#iptables -D INPUT -p tcp -s PUT_IP_HERE -d 0/0  --syn -j DROP

with a "-D" instead of a "-A"

> My goal is to block all incoming ssh attempts except IP#.
> This is where I got into hosts.allow/deny as mentioned below.

If this server running RH Enterprise is some kind of firewall with two
or more network interfaces, you could configure the SSH daemon so it
justs listens and accepts connections from your internal (and trusted)
network, just by editing:

/etc/ssh/sshd_config

And of course, after that, restating the service.

Good luck!