Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Linux
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: iptables & tcp wrappers

from [Matthew Baker] Network Security [Permanent Link]
Subject: Re: iptables & tcp wrappers
Date: Tue, 05 Oct 2004 18:26:55 +0100 
Luis M wrote:

I know this has been answered in many ways already, but this is yet
another approach.

and another.....

I have rewritten a perl module into a script which is actually used on our mail server (MailScanner www.mailscanner.info) credit to Julian Field for that. What it does is monitor the output from auth logs (using swatch) and takes the IP addresses of failed/invalid attempts and records the number of attempts made from that IP in a database file. Then when the counter goes above a configured threshold (which can be different for a single host or CIDR network) the IP is inserted as a DROP rule into custom chain using IPtables.
No need for reloading all the chains. The script is only called when the fail pattern is matched in swatch and the IPtables insert is only done once when the threshold is reached.
I have documented it more on a little web page here: http://www.gwork.org/authwatch

Although I still get failed logins I will only get a max of 6 attempts as opposed to 1000's. The script can also be taylored to work with other log output combining failures from ftp, smtp auth, etc...

I've not released any of my scripts before so any feedback would be welcome,

Hope it helps.

Matt

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: iptables & tcp wrappers, Luis M
Next by Date:  Re: iptables & tcp wrappers, Thomas Chiverton
Previous by Thread:  Re: iptables & tcp wrappers, Luis M
Next by Thread:  Re: iptables & tcp wrappers, George Theall
Indexes:  [Date] [Thread] [Top] [All Lists]