[wellylug] Blocking bad IPs from server
andrej at paradise.net.nz
andrej at paradise.net.nz
Fri Jan 26 16:11:08 NZDT 2007
Quoting scott at slackisland.org:
> is this going to be OK if you have, say, 2539 bad IPs? I've been
> running
> SSH on a nonstandard port and use knockd to open that ssh port up, so
> every attempted connection to the standard ssh port I've considered
> malicious. Doing this:
Depends on the machine, I'd guess. The kernel will have to traverse
all rules, so the more you have the longer the delays will be.
> tac /var/log/ulogd/ulogd.syslogemu | grep 'DPT=22' | awk {'print $9'} |
> sort | uniq | cut -c 5-19 > /var/log/sshattemptssorted.txt
>
> gives me a full list of IP addresses that have hit my SSH port, so I
> was
> thinking of using blacklists in shorewall firewall to permanently drop
> these IPs. However that requires a kernel recompile and I haven't had
> time
> to get around to that yet,
I'm curious: which kernel version are you using, and how will
blacklisting require a recompile? I don't use/know shorewall,
so have no idea how it accomplishes its idea of blacklisting.
> so I'm wondering if it's feasable to add so
> many IPs to iptables. Wouldn't this have a performance impact?
With a 2000-3000 rules I probably wouldn't be too worried, but I
haven't done any performance tests on IP tables with large numbers
of rules ...
> Cheers,
> Scott still in Tokyo
Cheers,
Andrej
More information about the wellylug
mailing list