Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Redhat 7.3 firewall between a Microsoft Ethernet and the Internet. We have been experiencing a series of unauthorized login attempts. I've determined the IP addess ranges involved in these login attempts and I've entered the following DROP commands in iptables to block further login attempts:
iptables –A INPUT –s 200.0.0.0/24 –j DROP
iptables –A INPUT –s 218.0.0.0/24 –j DROP
iptables –A INPUT –s 219.0.0.0/24 –j DROP
iptables –A INPUT –s 168.226.0.0/24 –j DROP
All but one of these commands displays like the following example when displaying a listing of iptables:
DROP all -- YahooBB219000000000.bbtee.net/24 anywhere.
Unauthorized login attempts received from the 219 IP address range have continued, while the other three IP address ranges have had no further attempts recorded since I entered these commands in iptables.
I've also entered this command in iptables, attempting to block this hole.
iptables –A INPUT –s 219.153.0.0/24 –j DROP
After all these entries, I'm still receiving unauthorized login attempts from IP addresses:
Can you explain why I'm receiving the strange Yahoo listing in iptables when I enter the iptables –A INPUT –s 219.0.0.0/24 –j DROP command while the other commands I've entered do not exhibit this strange results?
Is there anything you can offer to assist me in blocking packets received from IP addresses 219.0.0.0 through 219.255.255.255?
Originally posted by mm_jth I've also entered this command in iptables, attempting to block this hole.
iptables –A INPUT –s 219.153.0.0/24 –j DROP
For starters, this is only going to block 219.153.0.0 through 219.153.0.255. If you want to block the whole range that is assigned to APNIC, then use 219.0.0.0/8. This is a really large range to block. You may want to check the APNIC website to see where these IP addresses have been assigned and block only those subnets.
markus1982, I've inserted the DROP rules at the top of the table. It didn't like the 0 after INPUT but worked fine when I let it default to the top of the table. All the rules display properly now. Do you have any idea why I was receiving the strange "DROP all -- YahooBB219000000000.bbtee.net/24 anywhere" listing when I had appended this rule to the end of the table, but receive -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP when inserting it at the top of hte table? The advice I've recevied from you and stickman all makes sense to me with the exception of this issue.
I've checked with APNIC and would like to block this entire range. We've been receiving unauthorized login attempts both through APNIC and LANNIC. As we do not do business in either of these regions, I would like to throw a large a net as possible.
I've modified the rules as you've suggested and inserted them at the top of the table. Thanks for the pointer to the CIDR information. That cleared up my confusion with the rule notation. This is what the top of the table looks like now:
[0:0] -A INPUT -s 168.226.0.0/255.255.0.0 -j DROP
[0:0] -A INPUT -s 200.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 218.0.0.0/255.0.0.0 -j DROP
[0:0] -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP
Thanks for all your help. Just one more quick question you may be able to help me with. I notice the notation at the start of each rule line [0:0] doesn't denote rule numbers. Does the numbering of rules in iptables start with 0 or 1?
I've inserted the DROP rules at the top of the table. It didn't like the 0 after INPUT but worked fine when I let it default to the top of the table. All the rules display properly now.
Well it would have been 1 then probably ... it is ages ago I've used something alike.
Quote:
Do you have any idea why I was receiving the strange "DROP all -- YahooBB219000000000.bbtee.net/24 anywhere" listing when I had appended this rule to the end of the table, but receive -A INPUT -s 219.0.0.0/255.0.0.0 -j DROP when inserting it at the top of hte table?
This is just what it resolves to.
Quote:
I notice the notation at the start of each rule line [0:0] doesn't denote rule numbers. Does the numbering of rules in iptables start with 0 or 1?
This is simple:
[packets:bytes]
could be also kbytes or mbytes depending on the traffic...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.