[ubuntu-hardened] [Secure] Automate IP address banning using ipset and iptables.

Jim Tarvid tarvid at ls.net
Sun Nov 22 12:20:13 UTC 2015 

I should have pointed out that the trick77 implementation blocks the vast
majority of ssh and ftp attempts.


fail2ban-messages

Banned services with Fail2Ban:                     Bans:Unbans
  dovecot:                                                [ 12:12 ]
  ssh:                                                    [  2:2  ]
  vsftpd:                                                 [ 33:33 ]

Before implementation I used to have hundreds of failed login attempts.

On Sun, Nov 22, 2015 at 7:12 AM, Jim Tarvid <tarvid at ls.net> wrote:

> I can point to a partial answer to your question.
>
> https://github.com/trick77/ipset-blacklist
>
> My cron job is not working.
>
> root at helen:/etc/ipset-blacklist# crontab -l
> ...
> @daily /usr/local/bin/update-blacklist
>
> I don't know how to restart iptables short of reboot.
>
>
>
>
>
>
> On Sun, Nov 22, 2015 at 3:41 AM, daniel curtis <sidetripping at gmail.com>
> wrote:
>
>>
>> Hello,
>>
>> First thing first; I hope that I'm asking my question in
>> the right place (I mean this mailing list). Since it is about
>> system security etc., I think it is fine place. If it is not, then
>> I'm sorry.
>>
>> So, I would like to ask about the best method to automate
>> IP address banning (port scanning or a remote hosts that
>> tries to connect to - for example - port 25) using "ipset" and
>> "iptables".
>>
>> I know, that there is multiple ways to make it right, especially
>> with "ipset". So, which of these "ipset" commands are okay
>> to create so-called "sets"? Which one should I use?:
>>
>> 1/ ipset create banned hash:ip hashsize 4096
>> 2/ ipset create banned hash:net family inet
>> 3/ ipset create banned hash:net
>> 4/ ipset -N banned iphash
>>
>> Generally, I would like to ban IP address (also port scanning
>> etc.) using "ipset" and "iptables". According to this, which
>> type of a set[1] is okay in this case: "hash:net", "hash:ip,port"
>> or maybe another one?
>>
>> Also, I will have to create an "iptables" rule which matches against the
>> set, right? The key here is to use "-m set --match-set <name>" option. I'm
>> right? For now I will not provide "iptables"
>> rule, because most important is "ipset" command.
>>
>> Best regards.
>> _____________
>> [1] http://ipset.netfilter.org/features.html
>>
>>
>> --
>> ubuntu-hardened mailing list
>> ubuntu-hardened at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened
>>
>>
>
>
> --
>
> Kindness Works!
> Jim Tarvid
> 12897A Grays Pointe Road, Fairfax, Va 22033-2143
> 38.87782, -77.39270
> 703-657-0099 Condo
> 703-825-8463 Cabin
> 703-624-5289 Cell
> 703-594-7297 Google voice
> 202-753-0025 Tablet
> http://ls.net
>



-- 

Kindness Works!
Jim Tarvid
12897A Grays Pointe Road, Fairfax, Va 22033-2143
38.87782, -77.39270
703-657-0099 Condo
703-825-8463 Cabin
703-624-5289 Cell
703-594-7297 Google voice
202-753-0025 Tablet
http://ls.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20151122/5b8a769f/attachment.html>

More information about the ubuntu-hardened mailing list