[wellylug] Blocking bad IPs from server
John Durham
johndurh at spunge.org
Fri Jan 26 18:59:40 NZDT 2007
scott at slackisland.org wrote:
> Hi everyone,
>
> I have a quick question about this:
>
>
>> Quoting John Durham <johndurh at spunge.org>:
>> for i in `cat /path/to/badips.txt`; do iptables -A INPUT -s $i -j DROP;
>> done
>>
>
> is this going to be OK if you have, say, 2539 bad IPs? I've been running
> SSH on a nonstandard port and use knockd to open that ssh port up, so
> every attempted connection to the standard ssh port I've considered
> malicious. Doing this:
>
> tac /var/log/ulogd/ulogd.syslogemu | grep 'DPT=22' | awk {'print $9'} |
> sort | uniq | cut -c 5-19 > /var/log/sshattemptssorted.txt
>
> gives me a full list of IP addresses that have hit my SSH port, so I was
> thinking of using blacklists in shorewall firewall to permanently drop
> these IPs. However that requires a kernel recompile and I haven't had time
> to get around to that yet, so I'm wondering if it's feasable to add so
> many IPs to iptables. Wouldn't this have a performance impact?
>
> Cheers,
> Scott still in Tokyo
>
That's an interesting concern. I can only tell you the command Andre
gave me seemed to work. The server has been quiet since, but I have not
noticed any performance effects. If you want to test it out from your
end, try bringing up my website. Let me know what problems if any you have.
--
Regards, John Durham <http://modecideas.com/contact.html?sig>
Fax/Phone 64 4 5286786
Award winning web site at http://modecideas.com?sig
Server hosted on Ubuntu 4.10
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Good advice is like good paint- it only works if applied.
More information about the wellylug
mailing list