> Currently, on VM, if a web server sees someone trying to login using > incorrect userid/password, it will prompt them to stop/get help, if they > don't, via the VM TCPIP stack, the client is blocked. Kind of like a > dynamic firewall rule that lasts for a predefined period of time. > I wanted to implement the same for my linux guests but at the VM level > so that I don't incur the overhead of running iptables on each guest. > This way, if a guest sees repeated login attempts or sometimes > you see hackers asking for web pages for common admin tools, then > the guest would inform VM that controls the switch to block that > external IP address for a specific time.
Front end your WWW servers with a guest running LVS, and run iptables on the LVS guest. You can then do the iptables stuff only in one place, and you also get the ability to do load-balancing, pre-authentication and all kinds of other nifty stuff. If you want to do this on a more comprehensive scale, use a Linux guest as a front end to the VM stack (ie, have the Linux guest assume the IP address of your VM stack and set up as a NAT gw, passing traffic through as needed) and run iptables there. We've run this way for ages, and it works very nicely. If you want to do that, we can talk offline about the iptables config to do that. It also lets you cut off bozos in only one place. You could easily add a cron job to the Linux IP stack guest that reads a CMS minidisk file of "naughty" luser IP addresses and periodically updates an iptables map. That'd be cool, actually; then you could cut them off from all services if you so chose, or just some services, depending on how you wrote the script. -- db
