[lug] host.allow host.deny help

Greg Horne jeerygh at hotmail.com
Tue Oct 9 18:38:03 MDT 2001


Give me a couple of days to absorb all of that information and i'll send a 
better thank you.  For now...

Thanks!

Greg Horne

>From: "D. Stimits" <stimits at idcomm.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] host.allow host.deny help
>Date: Tue, 09 Oct 2001 17:29:55 -0600
>
>Greg Horne wrote:
> >
> > Thanks for the very informative reply!  That answers all of my questions 
>up
> > to this point.  IPChains was mentioned, where is a good site that you 
>have
> > used with information on setting up a machine to use ipchains to block 
>IP
> > addresses?
>
>ipchains is something I've just played with and learned over the years,
>I don't really use outside references much on it. But I can give you a
>few tips.
>
>First is that if you use a 2.4.x kernel, you can *ONLY* use ipchains or
>iptables, not both. Loading one forces the other to fail if loaded.
>Normally the best place to deal with refreshing ipchains rules is
>"/etc/rc.d/init.d/ipchains restart". However, this script will only give
>you correct status about whether ipchains is running if the proper
>kernel module is loaded...if the wrong one is loaded, or the right one
>is not loaded, it will lie to you about whether ipchains is active (I
>added a Bugzilla report long ago, someone only started working on it a
>few days ago...this is at Redhat). Run lsmod and check if ipchains is
>loaded (this assumes it is done as a module, not compiled directly into
>the kernel). To stop or start ipchains, I suggest using
>"/etc/rc.d/init.d/ipchains stop", or change the "stop" argument to
>"start" or "restart". Then manually use the real ipchains command (do
>not prefix it with absolute path /etc/rc.d/init.d/) "ipchains -L -n". If
>no error, and if rules show up, it is running.
>
>Mostly you'll want to start with accept rules for some basic/known
>required ip's. Then deny all. But, for the individual ban of a /24 range
>of ip's, here is a template for /etc/sysconfig/ipchains (this is a
>script file used by /etc/rc.d/init.d/ipchains):
>#-A input   -p all -s /16    -d 0/0                -i ppp0 -l      -j
>DENY
>#-A output  -p all -s 0/0                  -d /16  -i ppp0 -l      -j
>DENY
>(remove the "#" comment at the beginning when using this...copy the
>commented version into /etc/sysconfig/ipchains for convenience, and copy
>it then paste it somewhere to actually use it...uncomment the template
>when ready to use, and fill in ip address; this also is for a modem
>only, via ppp0, adjust for your Internet interface)
>
>A sample of a filled in version, with comments I save about my most
>recent attacker (this one tried to get in a few minutes ago, I
>investigate who is knocking):
>
># kernel: Packet log: input DENY ppp0 PROTO=6 209.5.105.102:4509
>209.60.72.65:111 L=60 S=0x00 I=63893 F=0x4000 T=41 SYN (#329)
># name = s105-102.pixelweb.net.
># Red Hat Linux release 6.0 (Hedwig)
># Kernel 2.2.5-15 on an i686
># 220 s1.nancy.com ESMTP Sendmail 8.9.3/8.9.3; Tue, 9 Oct 2001 18:38:50
>-0400
>-A input  -p all -s 209.5.105.102/24 -d 0/0              -i ppp0 -l -j
>DENY
>-A output -p all -s 0/0              -d 209.5.105.102/24 -i ppp0 -l -j
>DENY
>(NOTE: probably the email line wrap will cut this up)
>
>About this particular deny: I choose to block both input and output. If
>something managed to get past the input chain, the output would still
>block return path, the attacker might not know of success. Plus I like
>to log this so I can see if I tried to reach a banned site. Although
>this shows logging of the input chain, it isn't mandatory. Here is
>something useful: If your general deny rules log, and you then place
>specific deny above the general deny, you can turn off logging of that
>*input* chain, and avoid the spam of one particular domain in your logs.
>Only new domains will show up when hitting your machine. But logging
>output chain will still be good so you can know when you've placed too
>restrictive of a requirement. What I often do these days is to ban a /16
>(due to the number of korean hits from a wide range of sites); then if I
>try to personally reach something that was overly eager, I cut it back
>to a /24. Look closely at the template lines I gave, you'll find it
>reads "/16", but my particular sample is "/24". It is a case of the /16
>having been too restrictive; yet most of my blacklist lines are still
>/16.
>
>As a general "geometry" of /etc/sysconfig/ipchains, something like this:
># general policy
>:input ACCEPT
>:forward DENY
>:output ACCEPT
>
># specific allow of anything local on loopback.
>-A input          -s 0/0                  -d 0/0                -i
>lo           -j ACCEPT
>-A output         -s 0/0                  -d 0/0                -i
>lo           -j ACCEPT
>
># I trust my eth0, with non-routable IP's. Even so, all machines on eth0
>happen to have
># ipchains and I on occasion copy my blacklist to them...getting to it
>requires breaking
># the first firewall and its own firewall rules.
>-A input          -s 10.0.0.0/24          -d 10.0.0.0/24        -i
>eth0         -j ACCEPT
>-A output         -s 10.0.0.0/24          -d 10.0.0.0/24        -i
>eth0         -j ACCEPT
>
># I allow the other internal net items to masquerade.
>-A forward -p all -s 10.0.0.0/24          -d
>0/0                                -j MASQ
>
># Now I deny even an output to ports that are used to attack other
># machines, I know for a fact I will not use these outside of my
># local net, or else that they should never be coming to my machines:
>-A output  -p tcp -s 0/0                  -d 0/0 98             -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 109            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 109            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 111            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 111            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 137:139        -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 137:139        -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 143            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 143            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 220            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 220            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 369            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 369            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 514            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 515            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 515            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 530            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 993            -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 993            -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 2049           -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 2049           -i ppp0
>-l      -j DENY
>
>-A input   -p tcp -s 0/0                  -d 0/0 6667           -i ppp0
>-l      -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 6667           -i ppp0
>-l      -j DENY
>
># gnutella port 6346 is a pain, not a threat.
>-A input   -p tcp -s 0/0                  -d 0/0 6346           -i
>ppp0         -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 6346           -i ppp0
>-l      -j DENY
>-A output  -p tcp -s 0/0                  -d 0/0 6346           -i ppp0
>-l      -j DENY
>-A output  -p udp -s 0/0                  -d 0/0 6346           -i ppp0
>-l      -j DENY
>
># Just to be sure, web incoming. Due to IIS worms, I can't afford to log
>input
># chain to the web server.
>-A input   -p tcp -s 0/0                  -d 0/0 80             -i
>ppp0         -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 80             -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 98             -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 369            -i ppp0
>-l      -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 369            -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 443            -i ppp0
>-l      -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 443            -i ppp0
>-l      -j DENY
>
># NOW PLACE BLACKLISTED SITES HERE...IT'S A GOOD PLACE TO ADD THE
>TEMPLATE LINES
>....
>....
>....
>
># You MUST place some specific allowed ISP ports and IP's here, left out
># because these are customized for me and my ISP. Sample is your ISP
># nameserver should be allowed UDP/TCP access to port 53 and email
>stuff.
># I simply am not listing it here.
>....
>....
>....
>
># Now if a site is not denied, I allow auth:
>-A output  -p tcp -s 0/0                  -d 0/0 113            -i
>ppp0         -j ACCEPT
>-A output  -p udp -s 0/0                  -d 0/0 113            -i
>ppp0         -j ACCEPT
>
># Now if specific allows have not occurred, and general or specific
>denies have not
># occurred, I still consider the following ports off limits:
>-A input   -p tcp -s 0/0                  -d 0/0 0:1023         -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 2049           -i ppp0
>-l      -j DENY
>
>-A input   -p udp -s 0/0                  -d 0/0 0:1023         -i ppp0
>-l      -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 2049           -i ppp0
>-l      -j DENY
>
>-A input   -p udp -s 0/0                  -d 0/0 2401           -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 2401           -i ppp0
>-l      -j DENY
>
>-A input   -p udp -s 0/0                  -d 0/0 3306           -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 3306           -i ppp0
>-l      -j DENY
>
>-A input   -p udp -s 0/0                  -d 0/0 5355           -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 5355           -i ppp0
>-l      -j DENY
>
>-A input   -p udp -s 0/0                  -d 0/0 5432           -i ppp0
>-l      -j DENY
>-A input   -p tcp -s 0/0                  -d 0/0 5432           -i ppp0
>-l      -j DENY
>
>-A input   -p tcp -s 0/0                  -d 0/0 6000:6009      -i ppp0
>-l      -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 6000:6009      -i ppp0
>-l      -j DENY
>
>-A input   -p tcp -s 0/0                  -d 0/0 7100           -i ppp0
>-l      -j DENY
>
>-A input   -p tcp -s 0/0                  -d 0/0 10080:10083    -i ppp0
>-l      -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 10080          -i ppp0
>-l      -j DENY
>
># see http://www.f-secure.com/v-descs/adore.shtml for "Adore" worm
>description.
>-A input   -p tcp -s 0/0                  -d 0/0 65535          -i ppp0
>-l      -j DENY
>-A input   -p udp -s 0/0                  -d 0/0 65535          -i ppp0
>-l      -j DENY
>
>
>
>
>Probably your biggest problem in using this is that email will be line
>wrapping it. Likely you should copy and paste this followed by edit of
>line wrap, or set your email program to not wrap before copy and paste.
>Add your tested rules in only a few lines at a time, do
>"/etc/rc.d/init.d/ipchains restart", verify success with "ipchains -L
>-n", and go on to the next set of rules. Else you might have an error
>and it'll be a pain to track.
>
>It is often a good idea to keep a copy of data from logs of any attacker
>along with the specific deny rules for later referece, in case you have
>to use less restrictive masks later (the "/16" or "/24" are the masks,
>where "/24" is less restrictive on deny rules, and "/32" requires an
>exact IP match).
>
>D. Stimits, stimits at idcomm.com
>
>
> >
> > Thanks again,
> > Greg Horne
> >
> > >From: "D. Stimits" <stimits at idcomm.com>
> > >Reply-To: lug at lug.boulder.co.us
> > >To: lug at lug.boulder.co.us
> > >Subject: Re: [lug] host.allow host.deny help
> > >Date: Tue, 09 Oct 2001 14:14:05 -0600
> > >
> > >Greg Horne wrote:
> > > >
> > > > So my host.allow would look like this?
> > > > ALL: ALL
> > >
> > >You could actually leave this blank. Don't add a hosts.allow entry
> > >unless it is a known need. After all, you don't need to force it to
> > >allow unless something is causing a deny. E.G., you have a good user at
> > >10.1.2.3, and someone from the dark side of the force at 10.1.2.4, and 
>a
> > >deny of ALL:10.1.2.4/255.255.255.0. In this case (a /24 deny), the
> > >10.1.2.3 would fall into that address range and get blacklisted...so
> > >you'd want an allow rule specifically for 10.1.2.4/255.255.255.255 (a
> > >/32 allow).
> > >
> > > >
> > > > and my host.deny like this?
> > > > ALL: IP, IP, IP, IP
> > >
> > >More like multiple lines, I don't know if single line format would 
>work.
> > >Note that I am using a /24 mask in my sample, but if you know an exact
> > >address, you could use a /32, which translates to 255.255.255.255. I
> > >deny /24's or more because many of the attackers have dynamic ip within
> > >that range, or else their automated attack software will be hitting 
>more
> > >of their local domain and others will be joining from the same /24. So
> > >more like:
> > >ALL: a.b.c.d/255.255.255.0
> > >ALL: b.c.d.e/255.255.255.0
> > >
> > >I know, it is a sucky description. Think of adding an allow entry only
> > >for specific people that are blocked out and shouldn't be. In the deny
> > >rules, think of blocking a /24 range because of dynamic ip from
> > >attackers, and the general ranks of fallen machines on that same
> > >network. In the case that you know an attacker is static, just use a
> > >/32, or mask of 255.255.255.255. With dynamic ip's you can't just block
> > >one address.
> > >
> > >It was also mentioned that you should use ipchains and not just this. I
> > >have a huge list of blacklisted ip ranges in both my hosts.deny and
> > >ipchains files, and nothing in the hosts.allow. Several of the korean
> > >and other asian troublemaker sites have made me resort to /16's (mask
> > >255.255.0.0) for blocking...in a few cases, even /11's.
> > >
> > >D. Stimits, stimits at idcomm.com
> > >
> > > >
> > > > Thanks for your help,
> > > > Greg
> > > >
> > > > >From: "D. Stimits" <stimits at idcomm.com>
> > > > >Reply-To: lug at lug.boulder.co.us
> > > > >To: lug at lug.boulder.co.us
> > > > >Subject: Re: [lug] host.allow host.deny help
> > > > >Date: Mon, 08 Oct 2001 19:00:54 -0600
> > > > >
> > > > >Greg Horne wrote:
> > > > > >
> > > > > > Maybe I have not explained what I am trying to do well enough.  
>Let
> > >me
> > > > >try
> > > > > > again.  I want to allow everybody in the world to access my 
>server.
> > >The
> > > > > > only people that should be blocked are those people that I 
>specify.
> > > > > >
> > > > > > Like:
> > > > > > host.allow
> > > > > > ALL: ALL
> > > > > >
> > > > > > host.deny
> > > > > > evil person #1
> > > > > > evil person #2
> > > > >
> > > > >ALL: evil.person.com
> > > > >ALL: microsoft.com
> > > > >(yeah, just having fun there, but you did mention "evil")
> > > > >
> > > > >"ALL" means all xinetd (or inetd) run daemons, like ftp and telnet.
> > > > >
> > > > >D. Stimits, stimits at idcomm.com
> > > > >
> > > > > >
> > > > > > How do I accomplish that?
> > > > > >
> > > > > > Greg
> > > > > >
> > > > > > >From: dan radom <dradom at redback.com>
> > > > > > >Reply-To: lug at lug.boulder.co.us
> > > > > > >To: lug at lug.boulder.co.us
> > > > > > >Subject: Re: [lug] host.allow host.deny help
> > > > > > >Date: Mon, 8 Oct 2001 17:26:59 -0600
> > > > > > >
> > > > > > >ALL : xxx.xxx.xxx.xxx (single host)
> > > > > > >ALL : xxx.xxx.xxx.xxx/255.255.255.0 (entire class c)
> > > > > > >in.ftpd : xxx.xxx.xxx.xxx ftp only
> > > > > > >
> > > > > > >what i do is ALL : ALL in hosts.deny and allow specific access
> > >fromt he
> > > > > > >allow file.
> > > > > > >
> > > > > > >* Greg Horne (jeerygh at hotmail.com) wrote:
> > > > > > > > Well in addition to those IP's are people that try to gain 
>ftp
> > >and
> > > > > > >telnet
> > > > > > > > access, so how would I go about blacklisting them?
> > > > > > > >
> > > > > > > > Greg
> > > > > > >_______________________________________________
> > > > > > >Web Page:  http://lug.boulder.co.us
> > > > > > >Mailing List: 
>http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > > > >
> > > > > > 
>_________________________________________________________________
> > > > > > Get your FREE download of MSN Explorer at
> > > > >http://explorer.msn.com/intl.asp
> > > > > >
> > > > > > _______________________________________________
> > > > > > Web Page:  http://lug.boulder.co.us
> > > > > > Mailing List: 
>http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > > >_______________________________________________
> > > > >Web Page:  http://lug.boulder.co.us
> > > > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >
> > > > _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at
> > >http://explorer.msn.com/intl.asp
> > > >
> > > > _______________________________________________
> > > > Web Page:  http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >_______________________________________________
> > >Web Page:  http://lug.boulder.co.us
> > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at 
>http://explorer.msn.com/intl.asp
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




More information about the LUG mailing list