[BlueOnyx:12314] Re: Server hacked?

Dr. Blunt cleardata at earthlink.net
Wed Feb 27 11:30:39 -05 2013 

Sometime back Gerald sent me this setup for my iptables -- It has helped 
block plenty of junk at the BO.



/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW 
-m recent --set --name SSH2
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW 
-m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j LOG 
--log-level 4 --log-prefix 'Block SSH 20200 Attack'
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 20200 -m state --state NEW 
-m recent --update --seconds 60 --hitcount 8 --rttl --name SSH2 -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m 
recent --set --name SSH
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j LOG 
--log-level 4 --log-prefix 'Block SSH 22 Attack'
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m 
recent --set --name Dovecot
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j LOG 
--log-level 4 --log-prefix 'Block Dovecot Attack'
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 8 --rttl --name Dovecot -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m 
recent --set --name SMTP
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j LOG 
--log-level 4 --log-prefix 'Block SMTP Attack'
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m 
recent --update --seconds 60 --hitcount 8 --rttl --name SMTP -j DROP


At 08:13 AM 2/27/2013, you wrote:
> > and added them to deny.hosts.rules in apf but when I restart sendmail, 
> there they are.
>------- End of Original Message -------
>
>Will,
>
>Using the -A switch probably won't work.  That appends the rule to the end 
>of the chain, and the typical BX chain is already full of "ALLOWS" - 
>making your deny useless.
>
>Plus, you're using the wrong chain name.  In BlueOnyx - use the chain 
>"acctin", not "INPUT".
>
>Try this syntax to block them out.  I use this all the time.
>
>iptables -I acctin 1 -s 201.238.254.143 -j DROP
>
>That will insert the rule as number one in the incoming traffic chain - so 
>it will be acted on before any allows let the traffic in.  And if you want 
>to see if its working, use
>
>iptables -L -n -v
>
>Which will display the IPTables rules along with how many packets and 
>bytes each rule has acted on.  The first column is packets.  It should 
>increment for each sendmail attempt that is blocked.  So you can watch it 
>for a while and if its increasing - you've successfully blocked that IP 
>(which shouldn't be showing up in the processes any more).
>
>Chuck

More information about the Blueonyx mailing list