Really Stupid Question

NightShade03 · January 2010

Ok so everyone can make fun of me afterwards but I can't seem to find a correct answer to a question I'm researching.

Someone here posed a question, "You are on a linux machine being attacked from ip a.b.c.d...how to you stop it without the use of a firewall".

My line of thinking would have been using something like using fail2ban but this is just a script to modify firewall rules. I then thought maybe something like hosts.deny to block specific ip addresses but I believe this would only work for SSH logins? Any insight would be appreciated.

UnixGeek · January 2010

Add a null route, as in:

route add a.b.c.d gw 127.0.0.1 lo

Bl8ckr0uter · January 2010

UnixGeek wrote: »

Add a null route, as in:

route add a.b.c.d gw 127.0.0.1 lo

+1. We had to do something like this when one of our customers experience a Dos attack. We put a null route in to send all traffic from the problemed network to the bit bucket.

NightShade03 · January 2010

Ok well now I feel stupid for not being able to come up with that. Thanks guys.

MentholMoose · January 2010

If a particular service is being attacked, another option is to use the blocking mechanism built into the service being attacked, if one is available. For example, with Samba you can use "hosts deny x.x.x.x". If the service being attacked is accessed through a super server (e.g. inetd, xinetd), you can use it's blocking mechanism. With xinetd, you'd use "no_access x.x.x.x". You can set this globally for xinetd, so the host would be blocked for all of the managed services.

This may be better than a null route in some cases. For example if you are blocking IPs with a null route, the packets being received would still processed by whatever service receives it, so some attacks might still be successful. In any case, it's nice to have options (and know them).

UnixGeek · January 2010

NightShade03 wrote: »

Ok well now I feel stupid for not being able to come up with that. Thanks guys.

No problem, it's one of those things that's only obvious after you hear about it.

The main advantage of doing this is that it's often less resource intensive to null-route somebody than it is the block them on the firewall level. The concept is more portable too than knowing off the top of your head how to work with all the different types of firewalls out there.

NightShade03 · January 2010

UnixGeek wrote: »

No problem, it's one of those things that's only obvious after you hear about it. The main advantage of doing this is that it's often less resource intensive to null-route somebody than it is the block them on the firewall level. The concept is more portable too than knowing off the top of your head how to work with all the different types of firewalls out there.

Thats a good point too. You also don't just rely on the firewall then either because they say most attacks are internal anyway

darkerosxx · February 2010

FYI, you *could* use hosts.deny like this:

ALL: a.b.c.d

You *could* also use hosts.allow like this:

ALL: ALL EXCEPT a.b.c.d

If you were doing a bigger network, you could do this to allow a host within that network:

ALL: ALL EXCEPT techexams.net EXCEPT goodguy.techexams.net

NightShade03 · February 2010

darkerosxx wrote: »

FYI, you *could* use hosts.deny like this:

ALL: a.b.c.d

You *could* also use hosts.allow like this:

ALL: ALL EXCEPT a.b.c.d

If you were doing a bigger network, you could do this to allow a host within that network:

ALL: ALL EXCEPT techexams.net EXCEPT goodguy.techexams.net

Thank you for pointing out the fact that I'm not as dumb as I sometimes sound

Really Stupid Question

Comments