[XCSSA] Logging & dynamic firewall program(s)
xcssa@xcssa.org
xcssa@xcssa.org
Tue, 23 Oct 2007 13:31:16 -0500
--=-a7dsyjxxYdeHaSq1NzY5
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
On Mon, 2007-10-22 at 22:26 -0500, xcssa-admin@xcssa.org wrote:
> Thanks Jeremy,=20
>=20
> I hadn't read into DenyHosts enough to see that. And it was sounding
> pretty good, then...=20
>=20
> I was reading up on xinted's set up. I found there is actually some
> nice stuff built into the new xinted that will allow some controls right
> in xinetd. =20
>=20
> Everything was looking up when I noticed that pop3 was missing in the
> xinetd.d folder. A little more investigation and I found that this set
> up runs Dovecot as a standalone server - not via xinetd. I've spent the
> last two hours going thru the Dovecot config file and don't immediately
> see a way to use TCP Wrappers with it. More investigation needed - but
> that might again rule out using DenyHosts.=20
You can see if dovecot is compiled to use tcpwrappers using ldd. If you
see it linking against libwrap then it is just a matter of sorting out
what the programs name needs to be for the config file.
Nate
>=20
> I'm still working on it. And in the reading up today - I found there is
> a way to fix the overlay authentication that keeps breaking. But it
> means converting the authentication from a database to a flat file.=20
> While it fixes the database corruption that keeps occurring, it seems a
> step backwards and is kinda big change. So, I'm going to hold that for
> a last-resort option.=20
>=20
> Thanks again Jeremy.=20
>=20
>=20
> Chuck=20
>=20
>=20
>=20
>=20
> On Mon, 2007-10-22 at 13:20, xcssa-admin@xcssa.org wrote:=20
> On 22 Oct 2007 13:13:48 -0500, xcssa-admin@xcssa.org
> <xcssa-admin@xcssa.org> wrote:
> =20
> > Most of the hacks I'm dealing with these days are FTP and POP3. T=
he same
> > authentication module controls them as SSH and it breaks with a sus=
tained
> > hack attempt. So, I'd like to put some dynamic firewall package in=
place
> > while waiting on the fix to the authentication module.
> =20
> DenyHosts works for anything that uses tcp_wrappers including POP3 an=
d
> FTP. Its just commonly used for SSH. Change:
> =20
> BLOCK_SERVICE =3D sshd
> =20
> to
> =20
> BLOCK_SERVICE =3D ALL
> =20
> Another function I see is the ability to write the offending host to =
a
> file and do nothing. You could then parse this file and add it to an
> existing iptables table.
> =20
> =20
> --=20
> Jeremy Mann
> jeremy@biochem.uthscsa.edu
> =20
> University of Texas Health Science Center
> Bioinformatics Core Facility
> http://www.bioinformatics.uthscsa.edu
> Phone: (210) 567-2672
> _______________________________________________
> XCSSA mailing list
> XCSSA@xcssa.org
> http://xcssa.org/mailman/listinfo/xcssa
> =20
> --=20
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> =20
>=20
> _______________________________________________
> XCSSA mailing list
> XCSSA@xcssa.org
> http://xcssa.org/mailman/listinfo/xcssa
--=-a7dsyjxxYdeHaSq1NzY5
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBHHj30lgpwz0qGvbcRAljrAJ4hsrvBIv8NXItUW6pX33ORWKJPbQCfd+bA
u+3dciTmAdb6dYv1Mtvc5OU=
=3TNl
-----END PGP SIGNATURE-----
--=-a7dsyjxxYdeHaSq1NzY5--