How to stop an active network connection
Hi, How can I stop an active network connection? e.g., $ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.0.100:ssh ip-72-55-146-217.:35911 ESTABLISHED Because barbarians are pounding at my sshd gate again: . . . Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217 Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user unknown Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip-72-55-146-217.static.privatedns.com Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad from 72.55.146.217 port 42328 ssh2 . . . I shut down my sshd daemon, but the network bandwidth did not drop. The active connection went away in the netstat output, which is wrong, and iftop was able to reveal the still-live connection. Please help. thanks -- Tong (remove underscore(s) to reply) http://xpt.sourceforge.net/techdocs/ http://xpt.sourceforge.net/tools/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to stop an active network connection
On Tue, 2 Dec 2008 22:26:04 + (UTC) T o n g [EMAIL PROTECTED] wrote: Hi, How can I stop an active network connection? e.g., $ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.0.100:ssh ip-72-55-146-217.:35911 ESTABLISHED Because barbarians are pounding at my sshd gate again: apt-cache show cutter ? Tong (remove underscore(s) to reply) Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to stop an active network connection
On Tuesday 02 December 2008 17:26, T o n g wrote: Hi, How can I stop an active network connection? e.g., $ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.0.100:ssh ip-72-55-146-217.:35911 ESTABLISHED Because barbarians are pounding at my sshd gate again: . . . Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217 Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user unknown Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip-72-55-146-217.static.privatedns.com Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad from 72.55.146.217 port 42328 ssh2 . . . I shut down my sshd daemon, but the network bandwidth did not drop. The active connection went away in the netstat output, which is wrong, and iftop was able to reveal the still-live connection. I use a thing called fail2ban, which will monitor log entries and dynamically update your firewall to block IP addresses which are the source of too many failures. I set it up years ago, and don't recall the specifics, but it's packaged for Debian, and I recall it being reasonably straightforward to set up. The way I have it set up, it will block particular users who can't get their password right after three tries. I believe it can also be set up to block particular IP addresses that try multiple usernames, but I'm not 100% sure. -- A. -- Andrew Reid / [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to stop an active network connection
On Tue, Dec 02, 2008 at 05:30:01PM -0500, Celejar wrote: On Tue, 2 Dec 2008 22:26:04 + (UTC) T o n g [EMAIL PROTECTED] wrote: Hi, How can I stop an active network connection? e.g., $ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.0.100:ssh ip-72-55-146-217.:35911 ESTABLISHED Because barbarians are pounding at my sshd gate again: apt-cache show cutter ? I think cutter only works on routers or machines in the middle of the tcp conversion I would suggest using tcpdump to see the traffic on eth0 with somehting like tcpdump -pni eth0 -c 100 then you could use iptables to block the connection with something like iptables -I OUTPUT -d destination ip -j REJECT iptables -I INPUT -s destination ip -J REJECT you could/should add better select with -p and/or --dport or --sport Alex Tong (remove underscore(s) to reply) Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator. - George W. Bush 12/19/2000 Washington, DC signature.asc Description: Digital signature
Re: How to stop an active network connection
T o n g wrote: Hi, How can I stop an active network connection? e.g., $ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 192.168.0.100:ssh ip-72-55-146-217.:35911 ESTABLISHED Because barbarians are pounding at my sshd gate again: . . . Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217 Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user unknown Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip-72-55-146-217.static.privatedns.com Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad from 72.55.146.217 port 42328 ssh2 . . . I shut down my sshd daemon, but the network bandwidth did not drop. The active connection went away in the netstat output, which is wrong, and iftop was able to reveal the still-live connection. Just apt-get install denyhosts. It will update the /etc/hosts.deny everytime it detects an abusive client. Please help. thanks -- If you can't explain it simply, you don't understand it well enough. -- Albert Einstein -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to stop an active network connection
When the date was Wednesday 03 December 2008, T o n g wrote: Hi, How can I stop an active network connection? e.g., Using iptables(8) you can stop any kind of traffic manually or automagically, using something like the following (assuming that you normally accept ssh connections): iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent \ --update --seconds 3600 --hitcount 4 -j DROP -- Michael Iatrou (fnpk) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: How to stop an active network connection
On Wed, 3 Dec 2008 12:26:49 +1100 Alex Samad [EMAIL PROTECTED] wrote: On Tue, Dec 02, 2008 at 05:30:01PM -0500, Celejar wrote: On Tue, 2 Dec 2008 22:26:04 + (UTC) T o n g [EMAIL PROTECTED] wrote: Hi, How can I stop an active network connection? e.g., ... apt-cache show cutter ? I think cutter only works on routers or machines in the middle of the tcp conversion You're right. However, I discovered that tcpkill (in the Debian dsniff package) works fine, e.g.: tcpkill -i eth0 dst somehost Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]