[cobalt-security] ipchains adding to rc.local

[Scott F]

>is this correct so the list must look like this:
>
>/sbin/ipchains -I input -s 203.232.240.215 -j DENY -l
>/sbin/ipchains -I input -s 63.25.226.171 -j DENY -l
>fi

Here's another possible solution.

If you're not running a firewall (but have IPChains
installed), then try this little script -which is
actually taken from a firewall and is used to lockout
your network ghouls. Just install the script under
/etc/rc.d and chmod the script to 700. Then make sure
you have a rc.firewall.blocked file under the same
/etc/rc.d directory, which is where you'll drop in
your ghoul IP ranges (watch line wraps in the script).


#!/bin/sh
# Network Ghouls

    # Deny access to jerks
    # --------------------
    # /etc/rc.d/rc.firewall.blocked contains a list of
    # ipchains -A input -s address -j DENY
    # rules to block from any access.

    # Refuse any connection from problem sites
    if [ -f /etc/rc.d/rc.firewall.blocked ]; then
    deny_file="/etc/rc.d/rc.firewall.blocked"
    temp_file="/tmp/temp.ip.addresses"
    cat $deny_file | sed -n -e "s/^[
]*\([0-9.]*\).*$/\1/p" \
    | awk ' $1 ' > $temp_file
    while read ip_addy
    do
      case $ip_addy in
        *) ipchains -A input -s $ip_addy -j DENY
           ipchains -A input -d $ip_addy -j DENY
           ipchains -A output -s $ip_addy -j REJECT
           ipchains -A output -d $ip_addy -j REJECT
        ;;
     esac
    done < $temp_file
    rm -f $temp_file > /dev/null 2>&1
    unset temp_file
    unset deny_file
    fi

In the rc.firewall.blocked file, you can even go for
the broader scope and block out the entire IP range if
they're a real pain in the ass -like this:

203.232.240.255/32
63.25.226.255/32

That's all you need to drop into the
rc.firewall.blocked file. No need to enter the other
stuff (/sbin/ipchains -I input -s 203.232.240.215 -j
DENY -l) as that's what the ghouls script does for
you.. Just start the ghoul script as
./what-ever-you-name-it from the /etc/rc.d/ directory.
The ghoul script will protect your machine in both
directions (in/out) where the method you mentioned
only works for inward bound traffic.

Good luck!
Scott

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security