Skip to main content

Firewall with iptables

This post is how to set iptables rule as a linux firewall to avoid brute force attack. Few days ago on my old fedora core4 server, When I monitored in /var/log/messages to verify does my cronjob still running? I found something like..
May 23 15:04:18 fedev sshd(pam_unix)[6037]: check pass; user unknown
May 23 15:04:18 fedev sshd(pam_unix)[6037]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-70-248-31-102.dsl.snantx.swbell.net
May 23 15:04:23 fedev sshd(pam_unix)[6040]: check pass; user unknown
May 23 15:04:23 fedev sshd(pam_unix)[6040]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-70-248-31-102.dsl.snantx.swbell.net
May 23 15:04:29 fedev sshd(pam_unix)[6043]: check pass; user unknown
May 23 15:04:29 fedev sshd(pam_unix)[6043]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-70-248-31-102.dsl.snantx.swbell.net

and in /var/log/secure
May 23 15:04:15 fedev sshd[6035]: Failed password for invalid user develop from ::ffff:70.248.31.102 port 47109 ssh2
May 23 15:04:18 fedev sshd[6037]: Invalid user webdeveloper from ::ffff:70.248.31.102
May 23 15:04:20 fedev sshd[6037]: Failed password for invalid user webdeveloper from ::ffff:70.248.31.102 port 47529 ssh2
May 23 15:04:23 fedev sshd[6040]: Invalid user services from ::ffff:70.248.31.102
May 23 15:04:26 fedev sshd[6040]: Failed password for invalid user services from ::ffff:70.248.31.102 port 47941 ssh2
May 23 15:04:29 fedev sshd[6043]: Invalid user ircd from ::ffff:70.248.31.102

uhh.. look like I'm under attack.

Many one who use the public ip address server always face with this problem. These two iptables command will reject any request that make more than 3 new connection from same address every 5 mins.
[root@fedev ~]# iptables -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m recent --set
[root@fedev ~]# iptables -I INPUT -p tcp -i eth+ --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 -j DROP

However, the rules that I just apply will lost after restart. To make it permanent you can put above commands into /etc/rc.local or use command "service iptables save" that will save rules to /etc/sysconfig/iptables
[root@fedev ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]
[root@fedev ~]#

Note:
iptables-saves and iptables-restore command are used to save and restore iptables rules to STDIN and from STDOUT[we can redirect to file]. Following are examples.
[root@fedev ~]# mkdir /backup
[root@fedev ~]# iptables-save > /backup/iptables.nobrute
[root@fedev ~]# cat /backup/iptables.nobrute
# Generated by iptables-save v1.2.11 on Fri May 25 18:24:00 2007
*filter
:INPUT ACCEPT [1923:874178]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1380:533607]
-A INPUT -i eth+ -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 3 --name DEFAULT --rsource -j DROP
-A INPUT -i eth+ -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
COMMIT
# Completed on Fri May 25 18:24:00 2007
[root@fedev ~]# iptables-restore < /backup/iptables.backup


Note: In ubuntu I'm not see iptables service in /etc/init.d so we need to manually create script file to run those two commands.
Labels:

Comments

Post a Comment

Popular posts from this blog

Fixing sendmail take a long time to start

I notice that my database box[FC6+Oracle10.2] take along time to startup. Sendmail and sm-client very very slow to start[ about 5 minutes ]. There's something wrong in /etc/hosts file. 'newalises' command take long time to update and finish with error below. [root@ora10g ~]# newaliases WARNING: local host name (ora10g) is not qualified; see cf/README: WHO AM I? /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total [root@ora10g ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost 192.168.1.55 ora10g [root@ora10g ~]# To fix this, custom hostname[ora10g] need to append to localhost line in /etc/hosts. [root@ora10g ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ora10g 192.168.1.55 ora10g [root@ora10g ~]# newaliases /etc/alia
11 comments
Read more

Too many open files

Last week tomcat log file report many error about "Too many open files" when it has high traffic. Some in catalina_log say 2007-04-07 16:13:40 HttpProcessor[80][272] Starting background thread 2007-04-07 16:13:40 HttpConnector[80] accept: java.net.SocketException: Too many open files and here is from localhost_log 2007-04-07 16:13:40 StandardWrapperValve[myservlet]: Servlet.service() for servlet myservlet threw exception java.io.FileNotFoundException: /home/log/mylog_070407.log (Too many open files) This is because too many file descriptors're opened by tomcat. File descriptor can be limited in both system level and shell level. To check maximum number of fd in system type 'cat /proc/sys/fs/file-max'. In my case it is 65536(someone said it should set to 200000). Tomcat error when try to open socket number 272 so I think 65536 is ok for me for now. Anyway if u want to set it add 'fs.file-max = 200000' to /etc/sysctl.conf pnix@pnix-a7:~$ cat /proc/sys/fs/fil
15 comments
Read more

Setup MySQL with Ofbiz

Download ofbiz weekily build and extract it somewhere you want. From your ofbiz directory, edit file entityengine.xml in framework/entity/config add new datasources below localmysql datasource part <datasource name="custommysql" helper-class="org.ofbiz.entity.datasource.GenericHelperDAO" field-type-name="mysql" check-on-start="true" add-missing-on-start="true" check-pks-on-start="false" use-foreign-keys="true" join-style="ansi-no-parenthesis" alias-view-columns="false" drop-fk-use-foreign-key-keyword="true" table-type="InnoDB" character-set="latin1" collate="latin1_general_cs"> <read-data reader-name="seed"/> <read-data reader-name="seed-initial"/> <
8 comments
Read more