[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Re: hosts.deny - try ipchains
- Subject: [cobalt-users] Re: hosts.deny - try ipchains
- From: "Nick Voth" <nvoth@xxxxxxxxxxx>
- Date: Mon Oct 9 07:46:01 2000
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Theo,
I ran into the same trouble when trying to deny access to several spammers.
Instead of recompiling the kernal, try using ipchains. It is a rewrite of
IPFWADM and you can get an .rpm file from the RedHat site. I guess the
kernal on our Raq3's is already compiled to allow support for ipchains. Just
go to:
http://www.redhat.com
Go to the "Download" link and do a search for "ipchains." I believe the
first hit in the results is the application you want. I have found the link
on the RedHat results is sometime broken, but searching around the mirror
sites with FTP should get you what you need.
I have installed it on 2 RaQ3's and it works very well. There is also fairly
good documentation included with it.
Good luck,
-Nick Voth
> Date: Sun, 08 Oct 2000 21:10:34 -0700
> From: Theodore Jones <theoj@xxxxxxxxxxxxx>
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] [RaQ3i] hosts.deny
> Reply-To: cobalt-users@xxxxxxxxxxxxxxx
>
> Brandon,
>
> Thanks for the info.
>
> Yah, security didn't seem to be at the top of their list when stirring
> the "special sauce"...
>
> I've allready got PortSentry running for my regular inet services, just
> didn't know it didn't cover httpd as well... Unfortunately I'm probably
> not bold enough to recompile IPFWADM
> into my kernal at this time either.
>
> Has anyone else out there attempted this kernal recompile, and would
> they like to report the results?
>
>
> ~ Theo
>
> Brandon Wheaton wrote:
>
>> On Sun, 8 Oct 2000, a remote ECHELON node intercepted, flagged and
>> forwarded the following transmission from Theodore Jones:
>> > when I add and IP to the "hosts.deny" file under /etc,
>> > ALL: 209.74.20.34
>> > then do a:
>> > /etc/rc.d/init.d/inet reload
>> > then watch my /home/log/httpd/error file (tail -f), I
>> > don't seem to see that this IP/person is blocked from
>> > making random guesses at my CGI files....
>>
>> Hi Theo.
>>
>> Hosts.deny is a component of TCP Wrappers. TCP Wrappers
>> only protects services running under inet (for a list of
>> inet services, look in /etc/inetd.conf) hence any entries
>> you add to your hosts.deny and hosts.allow file will only
>> block traffic for those services. (i.e. pop and telnet)
>>
>> If you want to block traffic to your entire box (short
>> of utilizing an external firewall) you will need to
>> utilize a kernel-level filter called IPFWADM. Use of
>> IPFWADM requires Kernel recompilation, which will no
>> doubt void your warranty. I can't imagine why Cobalt
>> would leave this critical component out of it's OS. But
>> if you are a brave soul, here is the rundown. IPFWADM
>> is the basic Linux firewall tool. (Kernel 2.102+ uses
>> IPCHAINS) To utilize it to block an IP, all you have
>> to do is /sbin/ipfwadm -I -i deny -S 209.74.20.34 -o
>> With the -o option, all access attempts will be entered
>> into /var/log/messages for your viewing pleasure. The
>> "deny" makes it look to your attacker as if you have
>> fallen off the Internet. You can also use the "reject"
>> option, which gives attackers a "connection refused"
>> message if that's what you prefer. Either way - the result
>> is that you won't need to worry about them any longer.
>> Until they get smart and attack you from another IP,
>> that is ;^) That is where Portsentry comes into play
>> - but that's another e-mail entirely.
>>
>> Have fun.
>>
>> Brandon Wheaton
>> UNIX Systems Engineer
>> ValiCert, Inc.
>> 1215 Terra Bella Ave.
>> Mountain View, CA 94043
>> 650.567.5430