Note to LEAF users on ssh logins

George Georgalis george at galis.org
Thu Mar 3 08:15:07 PST 2005


On Thu, Mar 03, 2005 at 09:21:33AM -0500, Brian Reichert wrote:
>On Thu, Mar 03, 2005 at 03:14:41PM +0100, Simon 'corecode' Schubert wrote:
>> On 03.03.2005, at 14:35, Joerg Sonnenberger wrote:
>> >> * Detects failed ssh login attempts and maps out the originating IP
>> >> * using IPFW.
>> >Someone wants to write a nice PF version? It should just add the IP to
>> >a table :)
>> 
>> collaborative ssh scan firewalling with a distributed database? *ducks*
>
>I've heard assertions that the DROP list is good for cutting down
>on 'improper' web/ssh connections.  I haven't correlated with my
>own logs, so I can't offer more details:
>
>  <http://www.spamhaus.org/drop/index.lasso>
>

the following sloppy bash, downloads ip delegations by country code and
generates a tcpserver cdb, so I can relay, accept or filter incoming
smtp, allowing me to block ip connections by country code in addition
to regular declarations. It will be tricky to follow if you aren't
familiar with djb tcpserver and the QMAIL_QUEUE patch. The heart is
nic-to-tcprules which I didn't write and is linked to the authors page
in the script (Sorry, some linux only commands here.)



#!/bin/bash
#set -x
set -e

dest="/etc/tcp.smtp"
tmpdest="/var/tmp/`basename $dest`"
countries="
ae
eg
ar
br
bz
bo
co
cz
cl
hk
id
ma
mx
kr
ne
ng
sn
ro
sg
uy
cn
"
#es
#nl
#tw

# Root-Zone Whois Information
# Index by TLD Code
# http://www.iana.org/cctld/cctld-whois.htm

latestnics="
ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest
ftp://ftp.ripe.net/ripe/stats/delegated-ripencc-latest
"
cd /var/tmp

[ -a nic-assignment-file ] \
	&& mv --backup=numbered nic-assignment-file /var/tmp/nic-assignment-file.old

# get latest deligated from all nics
# only downloads if changed, uses wget's symlink discovery method in ftp
for n in $latestnics; do
	wget -q -N $n
	printf "."
	f=`basename $n`
	if [ -L $f ]; then
		dated=$(find `basename $n` -type l -printf "%l")
		newurl="`dirname $n`/$dated"
		wget -q -N $newurl
	else
		newurl=$n
	fi
	cat `basename $newurl` >>nic-assignment-file
	echo >>nic-assignment-file
	printf "."
done
# made a nic-assignment-file from all current nics,
# wheteher the nic current is http, ftp, symlink or regular file
# also only downloaded if the local version is older (wget -N)

# remove the nic-assignment-file-* and deligated-* files not accessed in a while
find ./ -maxdepth 1 -type f \
	\( -atime +5 -a -mtime +5 \) \
	-a \( -name nic-assignment-file\* -o \
		-name delegated-\* \) \
	-exec \rm -f \{\} \;

# backup existing tcp.smtp file
[ -a $dest ] && cp -a --backup=numbered ${dest} ${tmpdest}-old
# make local rules/acceptions for tcp.smtp file
cat >$tmpdest <<EOF
#/var/qmail/bin/qmailctl cdb
#tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp </etc/tcp.smtp ; chmod a+r /etc/tcp.smtp*
127.:allow,RELAYCLIENT=""
192.168.:allow,RELAYCLIENT=""
#10.:allow,RELAYCLIENT=""
# sanitized additional relay subnets

#http://www.iana.org/gtld/gtld.htm
#Generic Top-Level Domains
#
#http://www.iana.org/cctld/cctld-whois.htm
#Root-Zone Whois Information Index by TLD Code
#
#ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest
#http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
#ftp://ftp.arin.net/pub/stats/arin/delegated-arin-latest
#ftp://ftp.ripe.net/ripe/stats/delegated-ripencc-latest
#
#http://dqd.com/~mayoff/programs/nic-to-tcprules
#nic-to-tcprules takes a list of two-letter country codes as
#command-line arguments, and reads a series of address assignments on
#standard input.

EOF

printf ":"
	
nic-to-tcprules $countries <nic-assignment-file >>$tmpdest

# modify the allow and deny rules
cat >>$tmpdest <<EOF
# specify some subnets that are just denied....

# specify some subnets that are allowed (no spam filtering)

# spamc everything else
:allow,QMAILQUEUE="/var/qmail/bin/qmail-spamc-queue"
EOF
cat $tmpdest >$dest
echo "$dest"
end


// George


-- 
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george at xxxxxxxxx





More information about the Users mailing list