[wellylug] Blocking bad IPs from server

scott at slackisland.org scott at slackisland.org
Fri Jan 26 15:33:01 NZDT 2007


Hi everyone,

I have a quick question about this:

> Quoting John Durham <johndurh at spunge.org>:
> for i in `cat /path/to/badips.txt`; do iptables -A INPUT -s $i -j DROP;
> done

is this going to be OK if you have, say, 2539 bad IPs? I've been running
SSH on a nonstandard port and use knockd to open that ssh port up, so
every attempted connection to the standard ssh port I've considered
malicious. Doing this:

tac /var/log/ulogd/ulogd.syslogemu | grep 'DPT=22' | awk {'print $9'} |
sort | uniq | cut -c 5-19 > /var/log/sshattemptssorted.txt

gives me a full list of IP addresses that have hit my SSH port, so I was
thinking of using blacklists in shorewall firewall to permanently drop
these IPs. However that requires a kernel recompile and I haven't had time
to get around to that yet, so I'm wondering if it's feasable to add so
many IPs to iptables. Wouldn't this have a performance impact?

Cheers,
Scott still in Tokyo





More information about the wellylug mailing list