Sign in with
Sign up | Sign in
Your question

Linux/untangle newb question: country blocking, hosts.deny vs iptables

Tags:
  • Routers
  • Firewalls
  • Linux
  • Networking
Last response: in Networking
Share
Anonymous
August 21, 2009 2:01:25 PM

I'd like to use lists of networks to block all countries outside of mine on my firewall box. We don't need access to other places at work and it would look good in a security audit. I found a site that publishes lists to add. So I have a few newb linux questions..

1. Where is the best place to add this, a hosts.deny file? Does it work like a windows hosts file in linux where no traffic is allowed? I read something about it only applies to tcpwrappers and I don't know if our apache build, mysql, webmin uses tcpwrappers. Our webserver is fedora/apache/mysql and rails

2. how would you add that to iptables, and would it slow the machine down a lot? Its a dual athlon 64 4400. Usually have 2-4 concurrent users.

3. On my firewall box which is untangle, can you edit the hosts.allow and hosts.deny files without screwing up Untangle?

and the bonus question - anyone use ossec or something similar? Any suggestions on a favorite? I like the central console idea of ossec.

More about : linux untangle newb question country blocking hosts deny iptables

September 20, 2009 6:59:39 AM

It turns out you can easily block whole countries and domains in hosts.deny. So I'm now blocking all countries except the US, plus some other specific domains. Combined with denyhosts (Python script that looks for bad SSH login requests in /var/log/messages and shares attackers in a global database), it has cut my incoming SSH attacks from dozens per day to essentially zero.

I can't switch ports because at work they only let me out on port 22.

I have a very simple hosts.allow file, just 2 entries. This ensures that I can always get in via my employer's VPN, which gives me the same outside IP all the time.

#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_access' and 'man 5 hosts_options'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers.
#

ALL: 192.168.1.0/24 # Local network
ALL: a.b.c.d # My employer's VPN


#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!

ALL: UNKNOWN

ALL: chinamobile.com

ALL: .edu #Educational institutions (e.g. colleges)

ALL: .ac
ALL: .ad
ALL: .ae
ALL: .af
ALL: .ag
ALL: .ai
ALL: .al
ALL: .am
ALL: .an
ALL: .ao
ALL: .aq
ALL: .ar
ALL: .as
ALL: .at
ALL: .au
ALL: .aw
ALL: .az
ALL: .ax
ALL: .ba
ALL: .bb
ALL: .bd
ALL: .be
ALL: .bf
ALL: .bg
ALL: .bh
ALL: .bi
ALL: .bj
ALL: .bm
ALL: .bn
ALL: .bo
ALL: .br
ALL: .bs
ALL: .bt
ALL: .bv
ALL: .bw
ALL: .by
ALL: .bz
ALL: .ca
ALL: .cc
ALL: .cd
ALL: .cf
ALL: .cg
ALL: .ch
ALL: .ci
ALL: .ck
ALL: .cl
ALL: .cm
ALL: .cn
ALL: .co
ALL: .cr
ALL: .cs
ALL: .cu
ALL: .cv
ALL: .cx
ALL: .cy
ALL: .cz
ALL: .de
ALL: .dj
ALL: .dk
ALL: .dm
ALL: .do
ALL: .dz
ALL: .ec
ALL: .ee
ALL: .eg
ALL: .eh
ALL: .er
ALL: .es
ALL: .et
ALL: .eu
ALL: .fi
ALL: .fj
ALL: .fk
ALL: .fm
ALL: .fo
ALL: .fr
ALL: .ga
ALL: .gb
ALL: .gd
ALL: .ge
ALL: .gf
ALL: .gg
ALL: .gh
ALL: .gi
ALL: .gl
ALL: .gm
ALL: .gn
ALL: .gp
ALL: .gq
ALL: .gr
ALL: .gs
ALL: .gt
ALL: .gu
ALL: .gw
ALL: .gy
ALL: .hk
ALL: .hm
ALL: .hn
ALL: .hr
ALL: .ht
ALL: .hu
ALL: .id
ALL: .ie
ALL: .il
ALL: .im
ALL: .in
ALL: .io
ALL: .iq
ALL: .ir
ALL: .is
ALL: .it
ALL: .je
ALL: .jm
ALL: .jo
ALL: .jp
ALL: .ke
ALL: .kg
ALL: .kh
ALL: .ki
ALL: .km
ALL: .kn
ALL: .kp
ALL: .kr
ALL: .kw
ALL: .ky
ALL: .kz
ALL: .la
ALL: .lb
ALL: .lc
ALL: .li
ALL: .lk
ALL: .lr
ALL: .ls
ALL: .lt
ALL: .lu
ALL: .lv
ALL: .ly
ALL: .ma
ALL: .mc
ALL: .md
ALL: .mg
ALL: .mh
ALL: .mk
ALL: .ml
ALL: .mm
ALL: .mn
ALL: .mo
ALL: .mp
ALL: .mq
ALL: .mr
ALL: .ms
ALL: .mt
ALL: .mu
ALL: .mv
ALL: .mw
ALL: .mx
ALL: .my
ALL: .mz
ALL: .na
ALL: .nc
ALL: .ne
ALL: .nf
ALL: .ng
ALL: .ni
ALL: .nl
ALL: .no
ALL: .np
ALL: .nr
ALL: .nu
ALL: .nz
ALL: .om
ALL: .pa
ALL: .pe
ALL: .pf
ALL: .pg
ALL: .ph
ALL: .pk
ALL: .pl
ALL: .pm
ALL: .pn
ALL: .pr
ALL: .ps
ALL: .pt
ALL: .pw
ALL: .py
ALL: .qa
ALL: .re
ALL: .ro
ALL: .ru
ALL: .rw
ALL: .sa
ALL: .sb
ALL: .sc
ALL: .sd
ALL: .se
ALL: .sg
ALL: .sh
ALL: .si
ALL: .sj
ALL: .sk
ALL: .sl
ALL: .sm
ALL: .sn
ALL: .so
ALL: .sr
ALL: .st
ALL: .sv
ALL: .sy
ALL: .sz
ALL: .tc
ALL: .td
ALL: .tf
ALL: .tg
ALL: .th
ALL: .tj
ALL: .tk
ALL: .tl
ALL: .tm
ALL: .tn
ALL: .to
ALL: .tp
ALL: .tr
ALL: .tt
ALL: .tv
ALL: .tw
ALL: .tz
ALL: .ua
ALL: .ug
ALL: .uk
ALL: .um
#ALL: .us
ALL: .uy
ALL: .uz
ALL: .va
ALL: .vc
ALL: .ve
ALL: .vg
ALL: .vi
ALL: .vn
ALL: .vu
ALL: .wf
ALL: .ws
ALL: .ye
ALL: .yt
ALL: .yu
ALL: .za
ALL: .zm
ALL: .zw

Anonymous
April 8, 2010 3:56:53 PM

Wouldn't it be easier to block all in hosts.deny:

ALL: PARANOID

and let just those what you want in hosts.allow:

ALL: 192.168.1.0/24 # Local network
ALL: a.b.c.d # My employer's VPN

Because first it reads hosts.allow and if address is found from there, it does not even go to hosts.deny.
April 8, 2010 8:07:08 PM

I've never used untangle... but last I checked hosts.allow / hosts.deny only applied to programs that used tcp_wrappers for connections TO the linux host (untangle). With iptables you'll need to filter packets as they come through the FORWARD chain. The only way this may work is if some of the untangle blades / features actually use tcp_wrappers and the connection is made TO the firewall and then proxied on....

Just saying, keep it in mind and test to verify it actually blocks like you want.
!