How to block particular port based on src IP ?

How to block particular port based on src IP ?

[J. Bakshi]

Hello list,

I have these working rule-sets which blocked the IPs trying to ssh more
then 2 per min. And then the matching IPs are blacklisted for a
pre-defined time. Here 180 sec.

```````````
iptables -A INPUT -p tcp -m hashlimit --hashlimit-above 2/min
--hashlimit-burst 2 \
--hashlimit-name hashlimit -m state --state NEW -m tcp --dport $SSH_PORT
-j \
MARK --set-xmark 0x1/0xffffffff

iptables -A INPUT -m recent --rcheck --seconds 180 --name sshoverflow
--rsource -j DROP

iptables -A INPUT -m mark --mark 0x1 -m recent --set --name sshoverflow
--rsource -j DROP

iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -j ACCEPT

``````````````````

I am trying to make an arrangement that rather blocking the IP,; only
the access to the ssh port will be blocked from that IP. So the other
services i.e. imap, apache will be still accessible from the IP
excluding ssh. Is it possible ?

Please suggest.
Thanks

-- 
জয়দীপ বক্সী

How to block particular port based on src IP ?

[J. Bakshi]

Hello list,

I have these working rule-sets which blocked the IPs trying to ssh more
then 2 per min. And then the matching IPs are blacklisted for a
pre-defined time. Here 180 sec.

```````````
iptables -A INPUT -p tcp -m hashlimit --hashlimit-above 2/min
--hashlimit-burst 2 \
--hashlimit-name hashlimit -m state --state NEW -m tcp --dport $SSH_PORT
-j \
MARK --set-xmark 0x1/0xffffffff

iptables -A INPUT -m recent --rcheck --seconds 180 --name sshoverflow
--rsource -j DROP

iptables -A INPUT -m mark --mark 0x1 -m recent --set --name sshoverflow
--rsource -j DROP

iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -j ACCEPT

``````````````````

I am trying to make an arrangement that rather blocking the IP,; only
the access to the ssh port will be blocked from that IP. So the other
services i.e. imap, apache will be still accessible from the IP
excluding ssh. Is it possible ?

Please suggest.
Thanks

-- 
জয়দীপ বক্সী

Re: How to block particular port based on src IP ?

[Richard Horton]

On 13 April 2010 07:51, J. Bakshi <joydeep@infoservices.in> wrote:


> I am trying to make an arrangement that rather blocking the IP,; only
> the access to the ssh port will be blocked from that IP. So the other
> services i.e. imap, apache will be still accessible from the IP
> excluding ssh. Is it possible ?


Yes. All you need do is change your drop rule to the following:
iptables -A INPUT -p tcp --dport ssh -m mark --mark 0x1 -m recent
--set --name sshoverflow
--rsource -j DROP

The way the rule works is effectively a logical and so its say if the
destination is the ssh port and the ip address is in the recent list
then drop the packet. This way only ssh is denied to the bad guy
rather than everything... might be better to use, for instance,
iptables -A INPUT -p tcp -m multiport  --dports ssh -m mark --mark 0x1
-m recent --set --name sshoverflow
--rsource -j DROP

You can then add other services prone to brute force attacks to the drop list...

(Taken me a while to reply as I've been preoccupied with work and
broken cheekbone thanks to some drunk chavs :()


-- 
Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.pbase.com/arimus - My online photogallery
http://www.topcashback.co.uk/ref/rhorton

Re: How to block particular port based on src IP ?

[J. Bakshi]

On 04/16/2010 03:16 PM, Richard Horton wrote:
> On 13 April 2010 07:51, J. Bakshi <joydeep@infoservices.in> wrote:
>
>
>   
>> I am trying to make an arrangement that rather blocking the IP,; only
>> the access to the ssh port will be blocked from that IP. So the other
>> services i.e. imap, apache will be still accessible from the IP
>> excluding ssh. Is it possible ?
>>     
>
> Yes. All you need do is change your drop rule to the following:
> iptables -A INPUT -p tcp --dport ssh -m mark --mark 0x1 -m recent
> --set --name sshoverflow
> --rsource -j DROP
>
> The way the rule works is effectively a logical and so its say if the
> destination is the ssh port and the ip address is in the recent list
> then drop the packet. This way only ssh is denied to the bad guy
> rather than everything... might be better to use, for instance,
> iptables -A INPUT -p tcp -m multiport  --dports ssh -m mark --mark 0x1
> -m recent --set --name sshoverflow
> --rsource -j DROP
>
> You can then add other services prone to brute force attacks to the drop list...
>
> (Taken me a while to reply as I've been preoccupied with work and
> broken cheekbone thanks to some drunk chavs :()
>
>
>   


GREAT !!!
AWESOME !!!
SWEET !!

Exactly what I'm looking since long. Now the overflow connection attempt
droped but the other services are still available. Though the blacklist
interval is taking more than what is defined in the config. here is the
codes

```````````````````````````
iptables -A INPUT -p tcp -m hashlimit --hashlimit-above 2/min
--hashlimit-burst 2 \
--hashlimit-name hashlimit -m state --state NEW -m tcp --dport $SSH_PORT
-j \
MARK --set-xmark 0x1/0xffffffff


iptables -A INPUT -p tcp --dport $SSH_PORT -m recent --rcheck --seconds
60 --name sshoverflow --rsource -j DROP

iptables -A INPUT -p tcp --dport $SSH_PORT -m mark --mark 0x1 -m recent \
--set --name sshoverflow --rsource -j DROP

iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -j ACCEPT

`````````````````````````

the interval is set to 60 sec as above. but practically it is taking

``````````````
real 1m52.044s
``````````

measured by *time*

Except the interval ; everything else is running well.

many many thanks..

-- 
জয়দীপ বক্সী