[Server-devel] Question on number of iptables rules

[Anna]

On Tue, Feb 1, 2011 at 8:46 PM, Tom Mitchell <mitch at niftyegg.com> wrote:

> It can help to block China and Russia but the way spam and denial
> of service botnets work that is more limited than you might wish.
>

Well, I'm not currently running a mail server, so luckily I don't have to
worry about that right now.  The Chinese and Russian stuff was in my httpd
logs.  And quite a bit of it, which gave me concern enough to want to block
those two countries.  I read that a lot of other server admins take a
similar approach.


> Two tools "denyhosts" and "PortSentry" come to mind.  They
> will deal with many blunt script attacks that come from anyplace on the
> globe even Iceland ;-)
>

I'm running ssh on a non standard port, and have never seen any attacks in
/var/log/secure.  Not sure how denyhosts is supposed to help me there.  As
far as port scanning, I try to keep available ports to a bare minimum.  I
did look into Fail2ban, but since my issue seemed to be mostly Apache
related, and the individual IPs varied quite a bit among the Chinese and
Russian ranges, I can have tons of unwanted traffic before that kicks in.


> With a system live on the internet it is often valuable to block
> everything first and then open exactly what you need
> for exactly those that need it.
>

So when I get weird stuff on port 80, I'm supposed to block the entire
internet from my web server except my friends and my Mom?  If I ask my Mom
her IP address, she's likely to give me her phone number.  Or maybe run
Apache on a random port?  "Hey, y'all, when you try to go to my
schoolserver, just remember it's http://schoolserver.example.org:4329"  Not
likely.


> The number of rules by itself almost does not matter.
> Sometimes the order of rules matters more.
>

In iptables, I've got a few lines of "regular" stuff and then 894 drop
statements for the IP ranges that are likely going to be problematic.  Not
sure what kind of "order" almost 900 drop statements are supposed to be in.


> For example you can drop/block all connections to telnet
> and many other port services in a very early rule and never
> need to test your long list of IP address blocks.
>

The XS 0.6 doesn't ship with telnet and no one uses that any more anyway.
All I have open to the outside world are ports for Apache, Jabber, and ssh.
And my ssh port is non-standard and doesn't show up on a casual nmap -sS
anyway.  Again, never any issues logged as far as script kiddies poking
around at ssh.  And I do keep tabs on who's registered to the Jabber
server.  If I run  ejabberdctl stats registeredusers and there's a
ridiculous number, I can take a look at the  web admin interface to see
specifics.  And then there are folks on my Jabber server pretty much 24/7
and I have all the chat rooms logged.

I posted here because I wanted to know if 894 rules in iptables-xs was going
to be a problem on XS 0.6.  And if there was a better way to handle the
issue.


> Log files always need to be watched.
>

I do agree with you there.  I try to look in on my httpd logs every couple
of days.  And the XS 0.6 logwatch emails are quite informative.  I installed
alpine, so keeping up with them is fast and simple.

Anna Schoolfield
Birmingham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20110202/eb0d20d7/attachment-0001.htm