| Main Archive Page > Month Archives > shorewall-users archives |
[Shorewall-users] Blacklist
From: Alexander Maringer <maringer_at_nospam>Date: Mon May 31 2010 - 00:27:35 GMT
To: shorewall-users@lists.sourceforge.net
Hello,
I have some strange behaviour with shorewall 4.4.8.1-1 on a debina squeeze.
>From time to time I have a brute force hacker trying to get access to
the pop3 accounts with generic names and passwords. I wanted to add them
to a static blacklist, so I added the blacklist option to the interfaces
file and added the ip to the blacklist file. But nevertheless the hacker
can continue the brute force.
The "iptables -L -n" commands shows the new entry:
# iptables -L -n | grep 60.251.16.91
DROP all -- 60.251.16.91
The interfaces file contains:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
dhcp,tcpflags,logmartians,nosmurfs,blacklist
The blacklist file contains:
#ADDRESS/SUBNET PROTOCOL PORT
60.251.16.91 - -
The rules file contain
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE USER/ MARK
ACCEPT net $FW tcp pop3
Extract from the shorewall.conf:
BLACKLIST_DISPOSITION=DROP
The blacklist documentation describes, that the packets should be
dropped at the interface from the ips mentioned in the blacklist. If I
add the ip at the rules file with the action "DROP", then I dont't get
any attacks.
Could anybody give me a hint, why the blacklist entry is ignored? Thanks
a lot
Alexander Maringer
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users