[lug] host.allow host.deny help

D. Stimits stimits at idcomm.com
Tue Oct 9 17:29:55 MDT 2001


Greg Horne wrote:
> 
> Thanks for the very informative reply!  That answers all of my questions up
> to this point.  IPChains was mentioned, where is a good site that you have
> used with information on setting up a machine to use ipchains to block IP
> addresses?

ipchains is something I've just played with and learned over the years,
I don't really use outside references much on it. But I can give you a
few tips.

First is that if you use a 2.4.x kernel, you can *ONLY* use ipchains or
iptables, not both. Loading one forces the other to fail if loaded.
Normally the best place to deal with refreshing ipchains rules is
"/etc/rc.d/init.d/ipchains restart". However, this script will only give
you correct status about whether ipchains is running if the proper
kernel module is loaded...if the wrong one is loaded, or the right one
is not loaded, it will lie to you about whether ipchains is active (I
added a Bugzilla report long ago, someone only started working on it a
few days ago...this is at Redhat). Run lsmod and check if ipchains is
loaded (this assumes it is done as a module, not compiled directly into
the kernel). To stop or start ipchains, I suggest using
"/etc/rc.d/init.d/ipchains stop", or change the "stop" argument to
"start" or "restart". Then manually use the real ipchains command (do
not prefix it with absolute path /etc/rc.d/init.d/) "ipchains -L -n". If
no error, and if rules show up, it is running.

Mostly you'll want to start with accept rules for some basic/known
required ip's. Then deny all. But, for the individual ban of a /24 range
of ip's, here is a template for /etc/sysconfig/ipchains (this is a
script file used by /etc/rc.d/init.d/ipchains):
#-A input   -p all -s /16    -d 0/0                -i ppp0 -l      -j
DENY      
#-A output  -p all -s 0/0                  -d /16  -i ppp0 -l      -j
DENY
(remove the "#" comment at the beginning when using this...copy the
commented version into /etc/sysconfig/ipchains for convenience, and copy
it then paste it somewhere to actually use it...uncomment the template
when ready to use, and fill in ip address; this also is for a modem
only, via ppp0, adjust for your Internet interface)

A sample of a filled in version, with comments I save about my most
recent attacker (this one tried to get in a few minutes ago, I
investigate who is knocking):

# kernel: Packet log: input DENY ppp0 PROTO=6 209.5.105.102:4509
209.60.72.65:111 L=60 S=0x00 I=63893 F=0x4000 T=41 SYN (#329)
# name = s105-102.pixelweb.net.
# Red Hat Linux release 6.0 (Hedwig)
# Kernel 2.2.5-15 on an i686
# 220 s1.nancy.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 9 Oct 2001 18:38:50
-0400
-A input  -p all -s 209.5.105.102/24 -d 0/0              -i ppp0 -l -j
DENY
-A output -p all -s 0/0              -d 209.5.105.102/24 -i ppp0 -l -j
DENY
(NOTE: probably the email line wrap will cut this up)

About this particular deny: I choose to block both input and output. If
something managed to get past the input chain, the output would still
block return path, the attacker might not know of success. Plus I like
to log this so I can see if I tried to reach a banned site. Although
this shows logging of the input chain, it isn't mandatory. Here is
something useful: If your general deny rules log, and you then place
specific deny above the general deny, you can turn off logging of that
*input* chain, and avoid the spam of one particular domain in your logs.
Only new domains will show up when hitting your machine. But logging
output chain will still be good so you can know when you've placed too
restrictive of a requirement. What I often do these days is to ban a /16
(due to the number of korean hits from a wide range of sites); then if I
try to personally reach something that was overly eager, I cut it back
to a /24. Look closely at the template lines I gave, you'll find it
reads "/16", but my particular sample is "/24". It is a case of the /16
having been too restrictive; yet most of my blacklist lines are still
/16.

As a general "geometry" of /etc/sysconfig/ipchains, something like this:
# general policy
:input ACCEPT
:forward DENY
:output ACCEPT

# specific allow of anything local on loopback.
-A input          -s 0/0                  -d 0/0                -i
lo           -j ACCEPT
-A output         -s 0/0                  -d 0/0                -i
lo           -j ACCEPT

# I trust my eth0, with non-routable IP's. Even so, all machines on eth0
happen to have
# ipchains and I on occasion copy my blacklist to them...getting to it
requires breaking
# the first firewall and its own firewall rules.
-A input          -s 10.0.0.0/24          -d 10.0.0.0/24        -i
eth0         -j ACCEPT
-A output         -s 10.0.0.0/24          -d 10.0.0.0/24        -i
eth0         -j ACCEPT

# I allow the other internal net items to masquerade.
-A forward -p all -s 10.0.0.0/24          -d
0/0                                -j MASQ

# Now I deny even an output to ports that are used to attack other
# machines, I know for a fact I will not use these outside of my
# local net, or else that they should never be coming to my machines:
-A output  -p tcp -s 0/0                  -d 0/0 98             -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 109            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 109            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 111            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 111            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 137:139        -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 137:139        -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 143            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 143            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 220            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 220            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 369            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 369            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 514            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 515            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 515            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 530            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 993            -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 993            -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 2049           -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 2049           -i ppp0
-l      -j DENY

-A input   -p tcp -s 0/0                  -d 0/0 6667           -i ppp0
-l      -j DENY
-A input   -p udp -s 0/0                  -d 0/0 6667           -i ppp0
-l      -j DENY

# gnutella port 6346 is a pain, not a threat.
-A input   -p tcp -s 0/0                  -d 0/0 6346           -i
ppp0         -j DENY
-A input   -p udp -s 0/0                  -d 0/0 6346           -i ppp0
-l      -j DENY
-A output  -p tcp -s 0/0                  -d 0/0 6346           -i ppp0
-l      -j DENY
-A output  -p udp -s 0/0                  -d 0/0 6346           -i ppp0
-l      -j DENY

# Just to be sure, web incoming. Due to IIS worms, I can't afford to log
input
# chain to the web server.
-A input   -p tcp -s 0/0                  -d 0/0 80             -i
ppp0         -j DENY
-A input   -p udp -s 0/0                  -d 0/0 80             -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 98             -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 369            -i ppp0
-l      -j DENY
-A input   -p udp -s 0/0                  -d 0/0 369            -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 443            -i ppp0
-l      -j DENY
-A input   -p udp -s 0/0                  -d 0/0 443            -i ppp0
-l      -j DENY

# NOW PLACE BLACKLISTED SITES HERE...IT'S A GOOD PLACE TO ADD THE
TEMPLATE LINES
....
....
....

# You MUST place some specific allowed ISP ports and IP's here, left out
# because these are customized for me and my ISP. Sample is your ISP
# nameserver should be allowed UDP/TCP access to port 53 and email
stuff.
# I simply am not listing it here.
....
....
....

# Now if a site is not denied, I allow auth:
-A output  -p tcp -s 0/0                  -d 0/0 113            -i
ppp0         -j ACCEPT
-A output  -p udp -s 0/0                  -d 0/0 113            -i
ppp0         -j ACCEPT

# Now if specific allows have not occurred, and general or specific
denies have not
# occurred, I still consider the following ports off limits:
-A input   -p tcp -s 0/0                  -d 0/0 0:1023         -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 2049           -i ppp0
-l      -j DENY

-A input   -p udp -s 0/0                  -d 0/0 0:1023         -i ppp0
-l      -j DENY
-A input   -p udp -s 0/0                  -d 0/0 2049           -i ppp0
-l      -j DENY

-A input   -p udp -s 0/0                  -d 0/0 2401           -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 2401           -i ppp0
-l      -j DENY

-A input   -p udp -s 0/0                  -d 0/0 3306           -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 3306           -i ppp0
-l      -j DENY

-A input   -p udp -s 0/0                  -d 0/0 5355           -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 5355           -i ppp0
-l      -j DENY

-A input   -p udp -s 0/0                  -d 0/0 5432           -i ppp0
-l      -j DENY
-A input   -p tcp -s 0/0                  -d 0/0 5432           -i ppp0
-l      -j DENY

-A input   -p tcp -s 0/0                  -d 0/0 6000:6009      -i ppp0
-l      -j DENY
-A input   -p udp -s 0/0                  -d 0/0 6000:6009      -i ppp0
-l      -j DENY

-A input   -p tcp -s 0/0                  -d 0/0 7100           -i ppp0
-l      -j DENY

-A input   -p tcp -s 0/0                  -d 0/0 10080:10083    -i ppp0
-l      -j DENY
-A input   -p udp -s 0/0                  -d 0/0 10080          -i ppp0
-l      -j DENY

# see http://www.f-secure.com/v-descs/adore.shtml for "Adore" worm
description.
-A input   -p tcp -s 0/0                  -d 0/0 65535          -i ppp0
-l      -j DENY
-A input   -p udp -s 0/0                  -d 0/0 65535          -i ppp0
-l      -j DENY




Probably your biggest problem in using this is that email will be line
wrapping it. Likely you should copy and paste this followed by edit of
line wrap, or set your email program to not wrap before copy and paste.
Add your tested rules in only a few lines at a time, do
"/etc/rc.d/init.d/ipchains restart", verify success with "ipchains -L
-n", and go on to the next set of rules. Else you might have an error
and it'll be a pain to track.

It is often a good idea to keep a copy of data from logs of any attacker
along with the specific deny rules for later referece, in case you have
to use less restrictive masks later (the "/16" or "/24" are the masks,
where "/24" is less restrictive on deny rules, and "/32" requires an
exact IP match).

D. Stimits, stimits at idcomm.com


> 
> Thanks again,
> Greg Horne
> 
> >From: "D. Stimits" <stimits at idcomm.com>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: Re: [lug] host.allow host.deny help
> >Date: Tue, 09 Oct 2001 14:14:05 -0600
> >
> >Greg Horne wrote:
> > >
> > > So my host.allow would look like this?
> > > ALL: ALL
> >
> >You could actually leave this blank. Don't add a hosts.allow entry
> >unless it is a known need. After all, you don't need to force it to
> >allow unless something is causing a deny. E.G., you have a good user at
> >10.1.2.3, and someone from the dark side of the force at 10.1.2.4, and a
> >deny of ALL:10.1.2.4/255.255.255.0. In this case (a /24 deny), the
> >10.1.2.3 would fall into that address range and get blacklisted...so
> >you'd want an allow rule specifically for 10.1.2.4/255.255.255.255 (a
> >/32 allow).
> >
> > >
> > > and my host.deny like this?
> > > ALL: IP, IP, IP, IP
> >
> >More like multiple lines, I don't know if single line format would work.
> >Note that I am using a /24 mask in my sample, but if you know an exact
> >address, you could use a /32, which translates to 255.255.255.255. I
> >deny /24's or more because many of the attackers have dynamic ip within
> >that range, or else their automated attack software will be hitting more
> >of their local domain and others will be joining from the same /24. So
> >more like:
> >ALL: a.b.c.d/255.255.255.0
> >ALL: b.c.d.e/255.255.255.0
> >
> >I know, it is a sucky description. Think of adding an allow entry only
> >for specific people that are blocked out and shouldn't be. In the deny
> >rules, think of blocking a /24 range because of dynamic ip from
> >attackers, and the general ranks of fallen machines on that same
> >network. In the case that you know an attacker is static, just use a
> >/32, or mask of 255.255.255.255. With dynamic ip's you can't just block
> >one address.
> >
> >It was also mentioned that you should use ipchains and not just this. I
> >have a huge list of blacklisted ip ranges in both my hosts.deny and
> >ipchains files, and nothing in the hosts.allow. Several of the korean
> >and other asian troublemaker sites have made me resort to /16's (mask
> >255.255.0.0) for blocking...in a few cases, even /11's.
> >
> >D. Stimits, stimits at idcomm.com
> >
> > >
> > > Thanks for your help,
> > > Greg
> > >
> > > >From: "D. Stimits" <stimits at idcomm.com>
> > > >Reply-To: lug at lug.boulder.co.us
> > > >To: lug at lug.boulder.co.us
> > > >Subject: Re: [lug] host.allow host.deny help
> > > >Date: Mon, 08 Oct 2001 19:00:54 -0600
> > > >
> > > >Greg Horne wrote:
> > > > >
> > > > > Maybe I have not explained what I am trying to do well enough.  Let
> >me
> > > >try
> > > > > again.  I want to allow everybody in the world to access my server.
> >The
> > > > > only people that should be blocked are those people that I specify.
> > > > >
> > > > > Like:
> > > > > host.allow
> > > > > ALL: ALL
> > > > >
> > > > > host.deny
> > > > > evil person #1
> > > > > evil person #2
> > > >
> > > >ALL: evil.person.com
> > > >ALL: microsoft.com
> > > >(yeah, just having fun there, but you did mention "evil")
> > > >
> > > >"ALL" means all xinetd (or inetd) run daemons, like ftp and telnet.
> > > >
> > > >D. Stimits, stimits at idcomm.com
> > > >
> > > > >
> > > > > How do I accomplish that?
> > > > >
> > > > > Greg
> > > > >
> > > > > >From: dan radom <dradom at redback.com>
> > > > > >Reply-To: lug at lug.boulder.co.us
> > > > > >To: lug at lug.boulder.co.us
> > > > > >Subject: Re: [lug] host.allow host.deny help
> > > > > >Date: Mon, 8 Oct 2001 17:26:59 -0600
> > > > > >
> > > > > >ALL : xxx.xxx.xxx.xxx (single host)
> > > > > >ALL : xxx.xxx.xxx.xxx/255.255.255.0 (entire class c)
> > > > > >in.ftpd : xxx.xxx.xxx.xxx ftp only
> > > > > >
> > > > > >what i do is ALL : ALL in hosts.deny and allow specific access
> >fromt he
> > > > > >allow file.
> > > > > >
> > > > > >* Greg Horne (jeerygh at hotmail.com) wrote:
> > > > > > > Well in addition to those IP's are people that try to gain ftp
> >and
> > > > > >telnet
> > > > > > > access, so how would I go about blacklisting them?
> > > > > > >
> > > > > > > Greg
> > > > > >_______________________________________________
> > > > > >Web Page:  http://lug.boulder.co.us
> > > > > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > > >
> > > > > _________________________________________________________________
> > > > > Get your FREE download of MSN Explorer at
> > > >http://explorer.msn.com/intl.asp
> > > > >
> > > > > _______________________________________________
> > > > > Web Page:  http://lug.boulder.co.us
> > > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >_______________________________________________
> > > >Web Page:  http://lug.boulder.co.us
> > > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at
> >http://explorer.msn.com/intl.asp
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list