The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hosts.deny not doing a $%^% thing, Any ideas?

Discussion in 'General Discussion' started by mygregory, Oct 28, 2004.

  1. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Hello all,

    Needed urgently to block access to 123.123.123.*

    Added

    ALL: 123.123.123.

    in line with the others that portsentry adds to hosts.deny.

    Would be truly grateful for ideas as to why access is still possible and occuring from that IP group.

    mygregory :confused:
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Access to what are you trying to block? hosts.deny only affects applications that use TCP Wrappers, otherwise you're going to have to put the block in your iptables firewall (if you're running on Linux).
     
  3. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Chirpy

    I would like the easiest way to block access to everything, such as one would do when spotting some form of deliberate (not automatic or scripts, viruses etc.) attack, as you rightly point out some services that don't use tcp wrappers are not affected.

    FTP and Apache web server for example are not affected.

    1)Do you what other typical services don't use TCPwrapers?

    The setup is a classic "out of the box" fedora with Cpanel and a few basic security tweeks cut down to essential needed services.

    2) Would ipchains -I input -s 123.123.123.123. -j DENY -l
    do the trick to stop access to everything?

    Thanks again.

    mygregory :)
     
    #3 mygregory, Oct 28, 2004
    Last edited: Oct 28, 2004
  4. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    Yes, the iptables command

    iptables -I INPUT -s IP.ADDRESS -j DROP

    That'd block everything from that IP.
     
  5. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Thanks a bundle

    One final puzzling question:

    IF portsentry is always logging the following:

    Host 123.123.123.123 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 123.123.123.123 -j DENY -l"

    HOW COME IF I DO A:

    # iptabes -L

    I SEE ABSOLUTELY NO EVIDENCE OF ANY CHAIN RULE THAT CONTAINS AN OUTSIDE IP.

    Anyone know why? That should do it

    mygregory :)
     
  6. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Yes the portsentry-banned IPs are not there

    Yes, I tested the above command, works perfectly and block everything, then if I list Ip tables I see it appear:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    DROP all -- ppp-123-123-123-123 anywhere
    acctboth all -- anywhere anywhere

    So what happens to the portsentry issued bans, how come there not in there, I never flushed the tables, is it happening by cron on a default installation, or does portsentry periodically flush the tables? I ask this because I used to have the APF firewall installed and I'm wondering if it left some actions behind or if this is normal behaviour.

    mygregory :)
     
    #6 mygregory, Oct 28, 2004
    Last edited: Oct 28, 2004
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    TBH, I would put APF back in and enable its anti-dos functionality and then disable portsentry. If you you don't have a firewall that as in/egress filtering, portsentry is a poor mans alternative, but I wouldn't trust it compared to APF plus AD, IMHO.
     
  8. mygregory

    mygregory Active Member

    Joined:
    May 28, 2004
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the advice...

    I was thinking of putting APF back in place, however I had a bad experience of it the first time round (a now superceded version - granted) . I never found the time to post at the APF forum. What was happening as was proven susequently to be the case was that is was blocking a very tiny percentage of port 80 requests and for no reason. Even though 80 is naturally open together with the Cpanel list of ports niftily posted somewhere on this site. It was the guys at the NOC who first advised me to remove the firewall. I couldn't believe it possible that a firewall would do anything to a port that so obviously needed to be always available. Once removed the roughly 15 out of 5000 monitoring servers' requests a month (from five different servers) that were mysteriously dropped were no longer dropped, and I was happy. How can I be certain it won't happen again. Right now I run a reported just about 100% availability.

    mygregory :)
     
  9. jols

    jols Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,111
    Likes Received:
    2
    Trophy Points:
    38
    Great, but exactly how do you enable this with APF? The closest thing I see in the conf.apf file is:

    # Import our ad.rules ban list generated by antidos;
    # this is essentialy a quick enable/disable feature for
    # the insertion of such bans. [0 = Disabled / 1 = Enabled]
    USE_AD="0"
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The problem with quoting from year old threads is that things do change ;) I no longer using the antidos feature of APF. I've found, after a great deal of experience with it, that it is far more trouble than it is worth.
     
Loading...

Share This Page