hosts.deny vs arno ip tables blocked hosts

D0zer · 12-04-2014, 01:13 AM

Hi All

A client of mine has a mail server running Gentoo, it has Arno Ip tables installed for the firewall. The person who setup up the server had not loaded anything to block IP addresses with failed login attempts.

I am using denyhosts to block offending IP address. Its amazing how many attempts from people there are to log into the server.

Dnyhosts adds the offending IP addresses to hosts.deny. I have taken to also adding ip's to the blocked hosts in arno ip tables when I have seen attempts in the log files.

Which is the better place to do it? I manually restart Arno Ip tables each time I add an ip address there.

Is it possible to block IP addresses using wildcards. I want to essentially block all attempts from, 103.41.x.x. I have noticed a pattern where the last part of the IP address changes so ideally I want to block all ip address in that range.

Thanks in Advance

unSpawn · 12-04-2014, 12:36 PM

Quote:

Originally Posted by D0zer

Which is the better place to do it?

Obviously Netfilter. Also see Denyhosts vs Fail2ban aka tcp_wrappers vs iptables.

Quote:

Originally Posted by D0zer

I manually restart Arno Ip tables each time I add an ip address there.

Not necessary.

Quote:

Originally Posted by D0zer

Is it possible to block IP addresses using wildcards. I want to essentially block all attempts from, 103.41.x.x. I have noticed a pattern where the last part of the IP address changes so ideally I want to block all ip address in that range.

See man ipset ('ipset create myset hash:net').

D0zer · 12-07-2014, 02:07 AM

Thanks for suggestions unSpawn.