[ubuntu-hardened] [Secure] Automate IP address banning using ipset and iptables.

Seth Arnold seth.arnold at canonical.com
Tue Nov 24 20:23:33 UTC 2015


On Tue, Nov 24, 2015 at 07:38:20PM +0100, daniel curtis wrote:
> I think, that I would block invidual addresses (according to the
> system logs files, such as /var/log/kern.log etc.). So, I will have
> to use the "hash:ip" set. In addition, if it is about port scanning,
> I will want to use a timeout option, for example 3600, so port
> scanning probes will be banned for an hour.

You might want to block for longer than that; slow scans that take days
are apparently now commonplace.

> There is also one more thing: should I use "DROP" or "REJECT". As
> we know, the "DROP" target will drop a packet without any
> response while "REJECT" refuses the packet sending an ICMP-type
> response back to the source host etc.

I prefer REJECT because DROP sends the clear signal that a firewall is
active and filtering content. REJECT just looks like there's nothing of
interest going on.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20151124/248e2a99/attachment.pgp>


More information about the ubuntu-hardened mailing list