Author |
Message |
|
Post subject: Rules na inpute MT
Posted: 17.04.2007 - 08:30 #49370
|
|
Basic
Joined: Apr 19, 2004
Posts: 159
|
|
Mam verejnu IP, Kazdy den logujem utoky zvonku cez SSH a login failures. Ako mozem pouzit chain INPUT, IN interface WAN a dropnut prevadzku mimo 213.0.0.0 ? dakujem. Resp prosim o popis nastavenia |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 17.04.2007 - 21:44 #49382
|
|
Guru
Joined: Okt 23, 2005
Posts: 1031
Location: /etc/bin/ladin
|
|
No napriklad:
iptables -I INPUT -s ! 213.0.0.0/8 -p tcp --dport 22 -j DROP
kombinacii je neurekom |
|
|
|
|
|
|
Post subject: Rules na inpute MT
Posted: 18.04.2007 - 10:08 #49401
|
|
Ucen
Joined: Apr 12, 2006
Posts: 930
Location: Vranov nad Topľou
|
|
orin wrote: ›Mam verejnu IP, Kazdy den logujem utoky zvonku cez SSH a login failures. Ako mozem pouzit chain INPUT, IN interface WAN a dropnut prevadzku mimo 213.0.0.0 ? dakujem. Resp prosim o popis nastavenia
toz a nemoze hodit len svoju ip na pristup na neho ? Myslim pre ssh. |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 18.04.2007 - 13:31 #49425
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
icerowicz, orin: taketo nastavenia idealne ocenite pokial sa vam nahodou nieco zj... a budete sa potrebovat prihlasit odniekadial z prdele a nepojde vam to... a zakaznici budu pitchovat ze nieco nejde a pritom by ti stacilo sa len prihlasit a nieco na dialku upravit... |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 18.04.2007 - 14:15 #49431
|
|
Guru
Joined: Mar 13, 2005
Posts: 1867
Location: Nitra
|
|
si wrote: ›icerowicz, orin: taketo nastavenia idealne ocenite pokial sa vam nahodou nieco zj... a budete sa potrebovat prihlasit odniekadial z prdele a nepojde vam to... a zakaznici budu pitchovat ze nieco nejde a pritom by ti stacilo sa len prihlasit a nieco na dialku upravit...
Ale nie, stale sa tam da lognut napr cez winbox a tam si hned povolit pristup z lubovolnej IP |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 18.04.2007 - 14:19 #49433
|
|
Basic
Joined: Okt 12, 2003
Posts: 354
|
|
to su tie zahady mkt-u ktore ja v zivote nepochopim... ale neva... a na winbox sa nikto netlaci???
sak prehodim ssh na nejaky port niekde v prdeli vysoko a hotovo... |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 18.04.2007 - 14:36 #49435
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
airbilly: no som zvedavy ako si budes instalovat neaky winbox na mobil niekde v prdeli v horach ked sa ti nieco zrube
a ten co sa ti tam fakt ze bude chciet dostat, tak si ten winbox kludne zozenie tiez... |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 18.04.2007 - 15:10 #49440
|
|
Basic
Joined: Máj 31, 2006
Posts: 292
|
|
si wrote: ›airbilly: no som zvedavy ako si budes instalovat neaky winbox na mobil niekde v prdeli v horach ked sa ti nieco zrube
a ten co sa ti tam fakt ze bude chciet dostat, tak si ten winbox kludne zozenie tiez...
ja by som xel vidiet taky uspesny utok nalogovanim sa cez ssh... teda ked na tej masine nie je nejaky svihnuty admin... |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 18.04.2007 - 17:00 #49450
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
qido: ja tiez ale co uz akurat aby ma netrapili prilis velke mnozstva pokusov o logovanie sa scriptov co skusaju rozne default hesla z niektorych distier, tak mam obmedzene mnozstvo pokusov o ssh z vonkajsich IP na neake rozumne nizke cislo za minutu normalny clovek nezaplni a utocnika rychlo posle do drop-u |
|
|
|
|
|
|
Post subject: Ojojoj SI
Posted: 19.04.2007 - 14:02 #49504
|
|
Basic
Joined: Apr 19, 2004
Posts: 159
|
|
si wrote: ›qido: ja tiez ale co uz akurat aby ma netrapili prilis velke mnozstva pokusov o logovanie sa scriptov co skusaju rozne default hesla z niektorych distier, tak mam obmedzene mnozstvo pokusov o ssh z vonkajsich IP na neake rozumne nizke cislo za minutu normalny clovek nezaplni a utocnika rychlo posle do drop-u
Teraz si SI jeb... udrel klincek pekne po hlavicke. O toto presne ide. Testuju loginy pod x menami. Mozes poslat skript ?
Obmedzit SSH na IP nemozem, potrebujem sa prihlasovat z Orange, e-Telu, GTS, zo zahr. Takze s tymto suhlasim s prispievatelmi z hor
Takze obmedzenie poctu loginov SSH za minutu je to prave riesenie. Dik za tip a posli script |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 19.04.2007 - 15:42 #49509
|
|
Basic
Joined: Okt 12, 2003
Posts: 354
|
|
script ???
iptables -N LIMIT
iptables -F LIMIT
iptables -I INPUT 1 -i [waniface] -j LIMIT
iptables -A LIMIT -i [waniface] -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A LIMIT -p tcp --dport 22 -i [waniface] -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -A LIMIT -j RETURN
a mas to komplet
edit:
pardon to waniface si nahrad nazvom NIC co mas na verejnej strane... + si tam pozes dorobit aj ip-cky s -s... |
|
|
|
|
|
|
Post subject: RE: Rules na inpute MT
Posted: 19.04.2007 - 16:08 #49511
|
|
Majster
Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
|
|
priklad:
Code: ›
/usr/sbin/iptables -N ssh
/usr/sbin/iptables -I ssh -s 1.2.3.4 -j ACCEPT
/usr/sbin/iptables -I ssh -s 5.6.7.8 -j ACCEPT
/usr/sbin/iptables -A ssh -m state --state NEW -m recent --set --name ssh --rsource -j ACCEPT
/usr/sbin/iptables -A ssh -m recent --update --seconds 300 --hitcount 10 --rttl --name ssh --rsource -m limit --limit 5/sec -j DROP
/usr/sbin/iptables -I INPUT -i eth0 -p tcp --dport 22 -j ssh
kde este ako doplnok k tomu co postol magnut je ze IP 1.2.3.4 1 5.6.7.8 sa netestuju a su automaticky povazovane za korektne (ked vies ze z danych IP lozievas pravidelne ty a nik iny tak aby ta neaky nahodny script utociaci na tvoju IP zbytocne neodrezal ) |
|
|
|
|
|
|
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group Credits |