Month: June 2012

IPTables on the fly

Have you seen the Harrison Ford movie, Firewall? There is a scene when one of the bank’s IT dude is looking at traffic showing a hacker is performing a brute force login. Good ol’ Hollywood tricked non-computer savvy Foxfire-users by simply showing an active Wireshark session. Harrison Ford then shows up and issued a few commands to stall the hacker. Do you know what the command was? He typed ip access-group 0… Whoa! Here it is.

Anyway, I was troubleshooting an email issue and I stumbled upon the following pattern heavily populating /var/log/mail.log

Apr 6 16:06:06 mail pop3d: Disconnected, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: Disconnected, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: Connection, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: LOGIN FAILED, user=root, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: LOGIN FAILED, user=root, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: LOGIN FAILED, user=root, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: Connection, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: Disconnected, ip=[::ffff:187.17.80.67]
Apr 6 16:06:06 mail pop3d: Connection, ip=[::ffff:187.17.80.67]

I used the following command to view the log in real-time.
tail -f /var/log/mail.log

To stall it, one of our network ninjas appended the following to our firewall script
iptables -t filter -I INPUT 1 -s 187.17.80.67 -j DROP

Keep in mind that the statement above is not persistent after a reboot. You’ll have to include it into your main (firewall) script that runs automagically on boot.

So who owns 187.17.80.67? You can do a whois 187.17.80.67 and dig 187.17.80.67.

It does seem that the IP address we blocked is possibly another company’s server that might have been compromised.

To learn more about iptables, check this out.
Mastering IPTables Part 1
Mastering IPTables Part 2
Mastering IPTables Final

Filed under: Linux