Hello, I have some strange behaviour with shorewall 4.4.8.1-1 on a debina squeeze.
>From time to time I have a brute force hacker trying to get access to the pop3 accounts with generic names and passwords. I wanted to add them to a static blacklist, so I added the blacklist option to the interfaces file and added the ip to the blacklist file. But nevertheless the hacker can continue the brute force. The "iptables -L -n" commands shows the new entry: # iptables -L -n | grep 60.251.16.91 DROP all -- 60.251.16.91 The interfaces file contains: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,logmartians,nosmurfs,blacklist The blacklist file contains: #ADDRESS/SUBNET PROTOCOL PORT 60.251.16.91 - - The rules file contain #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK ACCEPT net $FW tcp pop3 Extract from the shorewall.conf: BLACKLIST_DISPOSITION=DROP The blacklist documentation describes, that the packets should be dropped at the interface from the ips mentioned in the blacklist. If I add the ip at the rules file with the action "DROP", then I dont't get any attacks. Could anybody give me a hint, why the blacklist entry is ignored? Thanks a lot Alexander Maringer ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
