hosts.deny not doing a $%^% thing, Any ideas?

mygregory

Active Member
May 28, 2004
32
0
156
Hello all,

Needed urgently to block access to 123.123.123.*

Added

ALL: 123.123.123.

in line with the others that portsentry adds to hosts.deny.

Would be truly grateful for ideas as to why access is still possible and occuring from that IP group.

mygregory :confused:
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
Access to what are you trying to block? hosts.deny only affects applications that use TCP Wrappers, otherwise you're going to have to put the block in your iptables firewall (if you're running on Linux).
 

mygregory

Active Member
May 28, 2004
32
0
156
Thanks Chirpy

I would like the easiest way to block access to everything, such as one would do when spotting some form of deliberate (not automatic or scripts, viruses etc.) attack, as you rightly point out some services that don't use tcp wrappers are not affected.

FTP and Apache web server for example are not affected.

1)Do you what other typical services don't use TCPwrapers?

The setup is a classic "out of the box" fedora with Cpanel and a few basic security tweeks cut down to essential needed services.

2) Would ipchains -I input -s 123.123.123.123. -j DENY -l
do the trick to stop access to everything?

Thanks again.

mygregory :)
 
Last edited:

nickn

Well-Known Member
PartnerNOC
Jun 15, 2003
616
1
168
Yes, the iptables command

iptables -I INPUT -s IP.ADDRESS -j DROP

That'd block everything from that IP.
 

mygregory

Active Member
May 28, 2004
32
0
156
Thanks a bundle

One final puzzling question:

IF portsentry is always logging the following:

Host 123.123.123.123 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 123.123.123.123 -j DENY -l"

HOW COME IF I DO A:

# iptabes -L

I SEE ABSOLUTELY NO EVIDENCE OF ANY CHAIN RULE THAT CONTAINS AN OUTSIDE IP.

Anyone know why? That should do it

mygregory :)
 

mygregory

Active Member
May 28, 2004
32
0
156
Yes the portsentry-banned IPs are not there

Yes, I tested the above command, works perfectly and block everything, then if I list Ip tables I see it appear:

Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- ppp-123-123-123-123 anywhere
acctboth all -- anywhere anywhere

So what happens to the portsentry issued bans, how come there not in there, I never flushed the tables, is it happening by cron on a default installation, or does portsentry periodically flush the tables? I ask this because I used to have the APF firewall installed and I'm wondering if it left some actions behind or if this is normal behaviour.

mygregory :)
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
TBH, I would put APF back in and enable its anti-dos functionality and then disable portsentry. If you you don't have a firewall that as in/egress filtering, portsentry is a poor mans alternative, but I wouldn't trust it compared to APF plus AD, IMHO.
 

mygregory

Active Member
May 28, 2004
32
0
156
Thanks for the advice...

I was thinking of putting APF back in place, however I had a bad experience of it the first time round (a now superceded version - granted) . I never found the time to post at the APF forum. What was happening as was proven susequently to be the case was that is was blocking a very tiny percentage of port 80 requests and for no reason. Even though 80 is naturally open together with the Cpanel list of ports niftily posted somewhere on this site. It was the guys at the NOC who first advised me to remove the firewall. I couldn't believe it possible that a firewall would do anything to a port that so obviously needed to be always available. Once removed the roughly 15 out of 5000 monitoring servers' requests a month (from five different servers) that were mysteriously dropped were no longer dropped, and I was happy. How can I be certain it won't happen again. Right now I run a reported just about 100% availability.

mygregory :)
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
chirpy said:
TBH, I would put APF back in and enable its anti-dos functionality and then disable portsentry. If you you don't have a firewall that as in/egress filtering, portsentry is a poor mans alternative, but I wouldn't trust it compared to APF plus AD, IMHO.
Great, but exactly how do you enable this with APF? The closest thing I see in the conf.apf file is:

# Import our ad.rules ban list generated by antidos;
# this is essentialy a quick enable/disable feature for
# the insertion of such bans. [0 = Disabled / 1 = Enabled]
USE_AD="0"
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
The problem with quoting from year old threads is that things do change ;) I no longer using the antidos feature of APF. I've found, after a great deal of experience with it, that it is far more trouble than it is worth.