Really Stupid Question

NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
Ok so everyone can make fun of me afterwards but I can't seem to find a correct answer to a question I'm researching.

Someone here posed a question, "You are on a linux machine being attacked from ip a.b.c.d...how to you stop it without the use of a firewall".

My line of thinking would have been using something like using fail2ban but this is just a script to modify firewall rules. I then thought maybe something like hosts.deny to block specific ip addresses but I believe this would only work for SSH logins? Any insight would be appreciated.

Comments

  • UnixGeekUnixGeek Member Posts: 151
    Add a null route, as in:

    route add a.b.c.d gw 127.0.0.1 lo
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    UnixGeek wrote: »
    Add a null route, as in:

    route add a.b.c.d gw 127.0.0.1 lo

    +1. We had to do something like this when one of our customers experience a Dos attack. We put a null route in to send all traffic from the problemed network to the bit bucket.
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    Ok well now I feel stupid for not being able to come up with that. Thanks guys.
  • MentholMooseMentholMoose Senior Member Member Posts: 1,524 ■■■■■■■■□□
    If a particular service is being attacked, another option is to use the blocking mechanism built into the service being attacked, if one is available. For example, with Samba you can use "hosts deny x.x.x.x". If the service being attacked is accessed through a super server (e.g. inetd, xinetd), you can use it's blocking mechanism. With xinetd, you'd use "no_access x.x.x.x". You can set this globally for xinetd, so the host would be blocked for all of the managed services.

    This may be better than a null route in some cases. For example if you are blocking IPs with a null route, the packets being received would still processed by whatever service receives it, so some attacks might still be successful. In any case, it's nice to have options (and know them).
    MentholMoose
    LFCE - MCITP: EDA7, VA, SA, EA - MCSA:S 2003 - CCA (PVS 5, XD 3 / 4 / 5, XS 5 / 6) - VCP 4 / 5
  • UnixGeekUnixGeek Member Posts: 151
    Ok well now I feel stupid for not being able to come up with that. Thanks guys.

    No problem, it's one of those things that's only obvious after you hear about it. :) The main advantage of doing this is that it's often less resource intensive to null-route somebody than it is the block them on the firewall level. The concept is more portable too than knowing off the top of your head how to work with all the different types of firewalls out there.
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    UnixGeek wrote: »
    No problem, it's one of those things that's only obvious after you hear about it. :) The main advantage of doing this is that it's often less resource intensive to null-route somebody than it is the block them on the firewall level. The concept is more portable too than knowing off the top of your head how to work with all the different types of firewalls out there.

    Thats a good point too. You also don't just rely on the firewall then either because they say most attacks are internal anyway icon_rolleyes.gif
  • darkerosxxdarkerosxx Banned Posts: 1,343
    FYI, you *could* use hosts.deny like this:

    ALL: a.b.c.d

    You *could* also use hosts.allow like this:

    ALL: ALL EXCEPT a.b.c.d

    If you were doing a bigger network, you could do this to allow a host within that network:

    ALL: ALL EXCEPT techexams.net EXCEPT goodguy.techexams.net
  • NightShade03NightShade03 Member Posts: 1,383 ■■■■■■■□□□
    darkerosxx wrote: »
    FYI, you *could* use hosts.deny like this:

    ALL: a.b.c.d

    You *could* also use hosts.allow like this:

    ALL: ALL EXCEPT a.b.c.d

    If you were doing a bigger network, you could do this to allow a host within that network:

    ALL: ALL EXCEPT techexams.net EXCEPT goodguy.techexams.net

    Thank you for pointing out the fact that I'm not as dumb as I sometimes sound icon_wink.gif
Sign In or Register to comment.