Banning ips with Denyhosts and iptables

If you’re looking for a nice way to automatically ban an ip address without specifically doing the iptables command, here’s a nice script to get you started. This script parses the /etc/hosts.deny file and blocks them using iptables.


#!/bin/bash


ROOT_UID=0


E_NOTROOT=67


if [ "$UID" != "$ROOT_UID" ]; then


echo "Must be root to run this script."


exit $E_NOTROOT


fi


iptables -F


echo "The following ips are blocked: " 1> /var/log/block.log


for x in `cat /etc/hosts.deny | grep -v ^# | cut -d ":" -f 2`; do


/usr/share/.scripts/deny.sh $x >> /var/log/block.log


done


exit0;

For ease of use, that script calls another script called deny.sh.


#!/bin/bash


ROOT_UID=0


E_NOTROOT=67


if [ "$UID" != "$ROOT_UID" ]; then


echo "Must be root to run this script."


exit $E_NOTROOT


fi


iptables -I INPUT -s $1 -j DROP


if [ $? != 0 ]; then


echo "block did not work on $1"


exit 1;


fi


echo "$1 was blocked."


exit 0;

Notice that the script first flushes all the current blocked ip addresses so that you don’t accidentally block the ip addresses many times. This could cause many problems if you’re trying to unblock someone.
Have fun and be safe!

Startup Scripts in Debian

If you would like to add a custom startup script to your Linux machine (for running ircd or an iptables script for example) the process is simple.

Create a file in /etc/init.d

touch /etc/init.d/program

chmod +x /etc/init.d/program

Edit it, and create something like this

#!/bin/bash

case $1 in

start)

sudo -u irc /home/ircd/unreal start

;;

stop)

sudo -u irc /home/ircd/unreal stop

;;

esac

These scripts are run as root, so you should probably use sudo to run programs as unprivileged users.

Now we just have to add it to our default runlevel (runlevel can be found in /etc/inittab on Debian, in Ubuntu this file does not exist as far as I know). The runlevel should be the same across all Debian (including ubuntu) systems.

ln -s /etc/init.d/program /etc/rc2.d/S20program

The S20 requires a little bit of explanation. S means Start, and 20 means to run after the 19’s but before the 21+’s. It’s simply a priority system.  You can replace S with K to ‘stop’ instead of ‘start’ when the computer shuts down.

Secure Portable Workstation with Debian Etch

Pictures coming soon!

I came across a “dying” Dell Latitude C680. It was old, but after looking at the specs I decided to keep it.

2.4/1.2ghz (speedstep)

1GB Ram

60GB HDD (mine was dead)

Two battery/expansion bays (one battery, one floppy)

One CD-Rom drive (thought it was dead, turned out to be the bay itself was bad)

GeForce 440 64mb video

The cdrom drive failed on me, but I was able to replace the floppy drive with another CD-rom drive.

I modified the hard drive bay caddy (mostly with electrical tape and the plastic case of a CF card) to house a 4GB CompactFlash card connected to a CF to IDE laptop convertor. With a little bit of fuss, I was able to get it to slide into the bay without catching on anything.

Using a Debian Etch CD, I did a full disk encryption LVM base install. It wasn’t too slow, however there were parts where the CF card was obviously choking a bit.

After booting into the system, I tested the CF card with hdparm -tT /dev/hda and was pleasantly surprised.

Timing cached reads: 716 MB in 2.00 seconds = 357.50 MB/sec
Timing buffered disk reads: 114 MB in 3.02 seconds = 37.71 MB/sec

So cached reads are about 1/2 as slow as I’d expect from a regular IDE drive, but the buffered disk reads are about as high.
I’m running Fluxbox, with Iceweasel and a few other operations and am noticing no problems with performance. Sometimes when dealing with multiple files at the same time things get slow.

Like any solid-state drive, this will make your laptop much more rugged (no moving parts except for fans and cd-rom drive).

While it has limited space, I could have easily purchased a 8/16/32GB CF card with similar speeds… if I had the money.

The CF card was around $25, and the adapter was $5.

For the next stage, I plan on using the now dead CD rom bay on the side to house USB devices with a powered USB hub.

This laptop will mainly be used for school (if it gets stolen, not a big deal) and war driving.

tcpwrappers

TCP wrappers are one of Linux’s most useful built-in features.

Instead of using a complex set of firewall rules, tcpwrappers provides an easy method of restricting access to certain daemons using ip addresses, host names, and ranges. While I wouldn’t reccommend on relying soley on them, they are a great tool for workstations and other machines behind a firewall.

hosts.deny is checked first; then hosts.allow. By default, if a program is not listed in either it is granted access to everyone.

/etc/hosts.deny

sshd: ALL
ftpd: ALL
mountd: ALL

/etc/hosts.allow

sshd: 192.168.0.0/24
ftpd: 192.168.1.0/255.255.255.0
mountd: 192.168.5.2,server2,192.168.3.2,192.168.6.0/24

As you can see, you have several different ways to give (or prevent) access.

Generally any program you see running as rpc.program will be supported via tcpwrappers (use program, not rpc.program in hosts.*). Anything running from inetd.conf will also be supported.

Stand-alone services (ignoring SSH/FTP) will generally not work with this, and rely on the program denying access or iptables.

Even if you use iptables, have some service: ALL lines in /etc/hosts.deny can be useful if you ever have problems with iptables

Postfix Security

A major problem with the default postfix install is that any user can send email as any user (even if it’s not your domain!)

The solution is very simple.

Edit /etc/main.cf and add

smtpd_delay_reject = yes
smtpd_helo_required = yes

smtpd_sender_restrictions=check_sender_access,hash:/etc/postfix/domains,

reject_unauth_destination,reject_sender_login_mismatch

Make sure you don’t add ‘permit_mynetworks’ here, or local users (or webmail users) will be able to forge their email.

In /etc/postfix/domains, add

your.domain OK

other.domain OK

and run

postmap /etc/postfix/domains

postfix reload

You might also want to try to help stop spam (along with spamassassin) with blacklists and stopping bad senders.

In /etc/postfix/main.cf

smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination,

reject_invalid_hostname,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_rbl_client list.dsbl.org,reject_rbl_client sbl.spamhaus.org,reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,permit

I have mixed feelings about blacklists; my website has shown up on them from time to time after all. Still, if you’re willing to get a few false positives then this should help stop quite a bit of spam.