View Full Version : Deny IP's from everything
1st March 2005, 02:13 AM
Ok im tired of probes from china so what id like to know is there a way to deny connections from lets say ip addy's from my entire computer and open ports. Not just apache with .htaccess. Is there an equivilent to .htaccess? I mean its just script kiddies and i have nothing they could want. Think about it 28 hits on root threw ssh and it saying connection is refused would tell me root cant log on here. I dont know thats just me. I am allready firewalled with my router, and linux firewall and selinux. And keep nothing on my computer that i would care a script kiddie would gain from an attack. Never the less is this possible?
1st March 2005, 02:44 AM
found my answer after probing the forums more. and using different search strings. jsut add ip and deny in the hosts file. and play with iptables. Will try to figure the second part out.
1st March 2005, 06:28 PM
if you run iptables, you can define which ports are open to the outside with System Settings -> Security Level.
1st March 2005, 07:10 PM
you could install firestarter GUI to control iptables for you...or you could use gShield which is a script that controls iptables. Both are easy to use...and you could just add the IP to deny.
1st March 2005, 09:03 PM
I added this line to /etc/hosts.deny
And my /etc/hosts.allow only has
But, that has the effect of denying everything from everywhere, probably not a good idea if you are running a server.
8th March 2005, 01:46 PM
from what I have heard adding IP addresses to /etc/hosts.deny doesnt always work because not all applications actually conform with it. I have had the same problem with people trying to brute force my ssh server so I decided to go for iptables. Ip tables seems fairly simple to start off with but can get really complex so I would recommend using Narc (google for narc) its a script which basically you edit one configuration file and it will create all the iptables rules for you its greate if you just want to allow certain services externally but still allow local clients to access all services. Check it out (here is a link if your lazy :p http://www.knowplace.org/netfilter/narc.html)
13th March 2005, 04:53 PM
In your case i suggest you to use APF firewall script to deny any port or Ip addresses. You don't need to learn Iptables though :)
APF script just works fine for workstations to advanced servers. :)
Just my two cents... :cool:
13th March 2005, 06:56 PM
I haven't gone that far myself, but I think that you can also filter IP address blocks. The trick is to find the blocks that are used in Asia. Finding out what range of Ip's APNIC is responsible for might be a good starting point. Something like 184.108.40.206 or thereabouts. But on the other hand, if you want to be accessible, ie. website, what can you do other than good stateful packet filtering and only enabling the services you need, correct permissions, tight scripts, and good passwords. Also consider max. login attempts for services such as SSH,etc. Hackers give up soon, when it is more effort and time consuming. As far as IP tables are concerned, I always found it easier to have an implicit "deny all" as the last rule at the bottom and to selectively enable the services and ports, rather than allow all and then having to figure out what to deny, which can make for some very large tables. Much easier to keep track of and log as well.
14th March 2005, 10:22 AM
Narc does this all for you, it will create all rules in iptables easily and quickly (if you cant be bothered creating them yourself) it will filter invalid packets as well as spoofed packets The LOT!
I was going to paste a copy of my iptables -L but it went over the 10000 character limit :p
22nd March 2005, 08:21 PM
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com #block domains from China and Japan cool huh :))
#you may comment the latter
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.