I agree. In our case, we use Snort and guardian to fend of "possible" attackers. Though we added our own IP block into guardian's ignore list.
On Sat, Jun 13, 2009 at 1:11 AM, Jeremiah Bess <[email protected]>wrote: > While it is possible, not every ISP in France and Croatia will have a .fr > or .hr reverse DNS entry. And as a security professional, I would recommend > keeping the log line, since you can't assume everyone in France and Croatia > are legitimate users, and logs are your friends. > > Another note is that setting up security on a box is not a set it and > forget it tactic. It's constantly changing, and needs human intervention. > Turn on extra logging, and review the logs on a regular basis. > > Your best bet would be to install an IPS. This would look for brute force > attacks and other attack vectors and block the offending IP. Snort can be > used as a IPS, but it has a learning curve. BFD can be used, but only detect > brute force attacks, not SQL injections or other maclious attempts. > > Jeremiah E. Bess > Network Ninja, Penguin Geek, Father of four > > > > On Fri, Jun 12, 2009 at 09:08, dr. Hannibal Lecter <[email protected]>wrote: > >> >> Hi all, >> >> As some of you might know, I'm still a noob, so bear with me :) >> >> I've recently experienced a terrible security breach on my test >> platform at work, which is an old Fedora 5 setup. >> >> Due to the fact that this platform needs to be accessible from Croatia >> and France, my idea was to block all countries using iptables using >> this technique: >> >> http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ >> >> I'm still learning about iptables, but since the above method would >> introduce thousands of addresses in iptables in my case, I assume it >> would slow everything down. >> >> So my question is: is there a way to explicitly allow hr and fr zones >> as described in the article above, but drop everything else? >> >> Would it be enough to change the ISO codes in the script above to "hr >> fr" and change this line >> >> $IPT -A $SPAMLIST -s $ipblock -j DROP >> >> to >> >> $IPT -A $SPAMLIST -s $ipblock -j ACCEPT >> >> And then add this at the bottom: >> >> $IPT -A INPUT -j DROP >> >> ...or, there are more changes needed in the script? (I assume I won't >> be needing the LOG line anylonger) >> >> Thanks in advance! >> >> > > > > -- Part-time SysAd, full-time Dad, part-time netNinja CNS, ACFE, FOSS Advocate and Consultant Registered Linux User #400165 http://www.rm2media.net http://baudizm.blogsome.com http://linuxblazon.wordpress.com http://3x-comic.blogspot.com (NEW!) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup -~----------~----~----~----~------~----~------~--~---
