On Tue, Feb 1, 2011 at 8:46 PM, Tom Mitchell <span dir="ltr"><<a href="mailto:mitch@niftyegg.com" target="_blank">mitch@niftyegg.com</a>></span> wrote:<br><div class="gmail_quote"><div class="gmail_quote"><div class="im">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
It can help to block China and Russia but the way spam and denial<br>
of service botnets work that is more limited than you might wish.<br></blockquote><div> </div></div><div>Well, I'm not currently running a mail server, so luckily I don't have to worry about that right now. The Chinese and Russian stuff was in my httpd logs. And quite a bit of it, which gave me concern enough to want to block those two countries. I read that a lot of other server admins take a similar approach.<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Two tools "denyhosts" and "PortSentry" come to mind. They<br>
will deal with many blunt script attacks that come from anyplace on the<br>
globe even Iceland ;-)<br></blockquote></div><div><br>I'm running ssh on a non standard port, and have never seen any attacks in /var/log/secure. Not sure how denyhosts is supposed to help me there. As far as port scanning, I try to keep available ports to a bare minimum. I did look into Fail2ban, but since my issue seemed to be mostly Apache related, and the individual IPs varied quite a bit among the Chinese and Russian ranges, I can have tons of unwanted traffic before that kicks in.<br>
</div><div class="im"><div> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
With a system live on the internet it is often valuable to block<br>
everything first and then open exactly what you need<br>
for exactly those that need it.<br></blockquote></div><div><br>So when I get weird stuff on port 80, I'm supposed to block the entire internet from my web server except my friends and my Mom? If I ask my Mom her IP address, she's likely to give me her phone number. Or maybe run Apache on a random port? "Hey, y'all, when you try to go to my schoolserver, just remember it's <a href="http://schoolserver.example.org:4329" target="_blank">http://schoolserver.example.org:4329</a>" Not likely.<br>
<br></div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
The number of rules by itself almost does not matter.<br>
Sometimes the order of rules matters more.<br></blockquote></div><div><br>In iptables, I've got a few lines of "regular" stuff and then 894 drop statements for the IP ranges that are likely going to be problematic. Not sure what kind of "order" almost 900 drop statements are supposed to be in.<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
For example you can drop/block all connections to telnet<br>
and many other port services in a very early rule and never<br>
need to test your long list of IP address blocks.<br></blockquote></div><div><br>The XS 0.6 doesn't ship with telnet and no one uses that any more anyway. All I have open to the outside world are ports for Apache, Jabber, and ssh. And my ssh port is non-standard and doesn't show up on a casual nmap -sS anyway. Again, never any issues logged as far as script kiddies poking around at ssh. And I do keep tabs on who's registered to the Jabber server. If I run ejabberdctl stats registeredusers and there's a ridiculous number, I can take a look at the web admin interface to see specifics. And then there are folks on my Jabber server pretty much 24/7 and I have all the chat rooms logged.<br>
<br>I posted here because I wanted to know if 894 rules in iptables-xs was going to be a problem on XS 0.6. And if there was a better way to handle the issue.<br></div><div class="im"><div> </div><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Log files always need to be watched.
<br></blockquote></div><div><br>I do agree with you there. I try to look in on my httpd logs every couple of days. And the XS 0.6 logwatch emails are quite informative. I installed alpine, so keeping up with them is fast and simple.<br>
</div></div><br>Anna Schoolfield<br>Birmingham<br>
</div><br>