[TriLUG] fail2ban -> twitter

Clay Stuckey claystuckey at gmail.com
Wed Apr 28 11:01:52 EDT 2010 

I have something that might work for you. I call it firewall-admin-in-a-box.
It works as follows:
Use IPTABLES to close off port 22.
Run apache on port 80
Install a PHP script that serves as authentication tool
After you authenticate, the script grabs your IP and places in a flat file.
A daemon running as root then grabs the IP and dynamically alters the
IPTABLES rules.
You receive an email documenting the action
That rule stays active for 24 hours

This is a great tool to discourage hackers as ssh shows as filtered. You can
use a saved favorite or a desktop shortcut with the password saved inline.
The url might look like:
http://www.myserver.com/innoquousfolder/innoquousscript.php?var1=[username]&
var2=[verylongpassword]
or
http://www.myserver.com/innoquousfolder/innoquousscript.php?var1=[username]&
var2=[verylongpassword]&var3=[port]&var4=[mydesktopip]

The second URL would be used if you want to use this solution to implement
port forwarding for VNC, nomachine, or some other remote desktop solution.
This allows multiple users to hit their desktop.

On a related note:
I know that you can turn off password authentication for root. I haven't
checked but I bet you can do the same for non-root users. If so, you could
implement key-based authentication. This is a superior authentication
mechanism in my opinion.


--
Clay Stuckey - RHCE, LPIC1, CCNA, MCSE
claystuckey at gmail.com
(919) 600-0486 cell
(919) 531-1792 office (till the end of May)


-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On Behalf
Of Charles Mangin
Sent: Wednesday, April 28, 2010 10:48 AM
To: Triangle Linux Users Group General Discussion
Subject: Re: [TriLUG] fail2ban -> twitter

SSH, mainly. but i'm also using it to keep dictionary attack spam  
under control, more than X "no such user" lines in my exim logs, and  
that IP gets banned as well.




On Apr 28, 2010, at 10:43 AM, Clay Stuckey wrote:

> What port/service is being attacked?
>
>
>
> --
> Clay Stuckey - RHCE, LPIC1, CCNA, MCSE
> claystuckey at gmail.com
> (919) 600-0486 cell
> (919) 531-1792 office (till the end of May)
>
-- 
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5106 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20100428/d611798b/attachment.bin>

More information about the TriLUG mailing list