Thanks for your input. I don't think I want to go as far as snort (I'm still inexperienced, and it seems like my broken FC5 doesn't have most of the dependencies), I only want to limit HTTP/FTP/SSH access. What I didn't mention earlier (now I think I should have), is that the break- in happened via an unprotected (and old version of) phpMyAdmin. Apparently, there was a very nasty exploit which allowed for file upload and with that, many other nasty things.
I'm really looking for a short-term solution, because I plan on reformatting and installing Ubuntu when I get the time to do so. On Jun 15, 12:10 am, hard wyrd <[email protected]> wrote: > I agree. In our case, we use Snort and guardian to fend of "possible" > attackers. Though we added our own IP block into guardian's ignore list. > > On Sat, Jun 13, 2009 at 1:11 AM, Jeremiah Bess <[email protected]>wrote: > > > > > > > While it is possible, not every ISP in France and Croatia will have a .fr > > or .hr reverse DNS entry. And as a security professional, I would recommend > > keeping the log line, since you can't assume everyone in France and Croatia > > are legitimate users, and logs are your friends. > > > Another note is that setting up security on a box is not a set it and > > forget it tactic. It's constantly changing, and needs human intervention. > > Turn on extra logging, and review the logs on a regular basis. > > > Your best bet would be to install an IPS. This would look for brute force > > attacks and other attack vectors and block the offending IP. Snort can be > > used as a IPS, but it has a learning curve. BFD can be used, but only detect > > brute force attacks, not SQL injections or other maclious attempts. > > > Jeremiah E. Bess > > Network Ninja, Penguin Geek, Father of four > > > On Fri, Jun 12, 2009 at 09:08, dr. Hannibal Lecter > > <[email protected]>wrote: > > >> Hi all, > > >> As some of you might know, I'm still a noob, so bear with me :) > > >> I've recently experienced a terrible security breach on my test > >> platform at work, which is an old Fedora 5 setup. > > >> Due to the fact that this platform needs to be accessible from Croatia > >> and France, my idea was to block all countries using iptables using > >> this technique: > > >>http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ > > >> I'm still learning about iptables, but since the above method would > >> introduce thousands of addresses in iptables in my case, I assume it > >> would slow everything down. > > >> So my question is: is there a way to explicitly allow hr and fr zones > >> as described in the article above, but drop everything else? > > >> Would it be enough to change the ISO codes in the script above to "hr > >> fr" and change this line > > >> $IPT -A $SPAMLIST -s $ipblock -j DROP > > >> to > > >> $IPT -A $SPAMLIST -s $ipblock -j ACCEPT > > >> And then add this at the bottom: > > >> $IPT -A INPUT -j DROP > > >> ...or, there are more changes needed in the script? (I assume I won't > >> be needing the LOG line anylonger) > > >> Thanks in advance! > > -- > Part-time SysAd, full-time Dad, part-time netNinja > CNS, ACFE, FOSS Advocate and Consultant > Registered Linux User > #400165http://www.rm2media.nethttp://baudizm.blogsome.comhttp://linuxblazon.wordpress.comhttp://3x-comic.blogspot.com (NEW!) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup -~----------~----~----~----~------~----~------~--~---
