Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm not totally clear what advantage you hope to gain: you are already dropping the packets that you want to drop, so no advantage there. It could be more efficient (or not), but to know that we'll have to look at the details.
Quote:
Originally Posted by Bulletproof
I'd like to be able to block IPs that get dropped by the iptable rule above automatically without having to check the logs and do them manually.
There are several utilities like fail2ban, denyhosts, etc, that can be used to do blocking based on various failure conditions. If I recall correctly, fail2ban is probably the most versatile, so is probably the best place to start.
The general principle is that fail2ban is a filter, written in python, that looks through log files, and based on the entries in the log files and the conditions that you set, can make new 'block' entries. Now, I'm guessing a bit here, but my guess is that you'd have to have a pretty odd set of conditions for the fail2ban route to use fewer cpu cycles than your existing iptables rule.
So....what do you hope to gain?
(PS: the reply from Lithos came in while I was scribbling.)
I'm not totally clear what advantage you hope to gain: you are already dropping the packets that you want to drop, so no advantage there. It could be more efficient (or not), but to know that we'll have to look at the details.
I own a dedicated server used as a gameserver which gets DDoS'd on a daily basis - I have many iptable rules that filter out the obvious IPs used to DDoS (connections are UDP) - now by automatically banning the IP, it will prevent it from being used again to DDoS the server. Dropping the connection doesn't prevent it from being used again to DDoS 5 minutes later.
I will be looking into fail2ban, thanks a bunch to all of you for pointing me in the right direction.
Last edited by Bulletproof; 08-09-2012 at 04:51 PM.
What games exactly? Please be specific about versions.
Quote:
Originally Posted by Bulletproof
which gets DDoS'd on a daily basis (..) Dropping the connection doesn't prevent it from being used again to DDoS 5 minutes later.
Did you ever look for updates for the game binaries you host?
What gaming experiences, logging, anomalies, evidence or whatever else made you think it's DoS attacks?
Did you ever look for specific game anti-DoS measures?
Did you even try traffic analysis based on packet captures (tcpdump / tshark, Wireshark, Snort)?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Blocking an IP
