{"id":120,"date":"2012-06-20T22:36:37","date_gmt":"2012-06-20T22:36:37","guid":{"rendered":"http:\/\/eltonoverip.com\/blog\/?p=120"},"modified":"2015-01-14T18:55:38","modified_gmt":"2015-01-14T18:55:38","slug":"iptables-on-the-fly","status":"publish","type":"post","link":"https:\/\/eltonoverip.com\/blog\/2012\/06\/iptables-on-the-fly\/","title":{"rendered":"IPTables on the fly"},"content":{"rendered":"<p>Have you seen the Harrison Ford movie, Firewall? There is a scene when one of the bank&#8217;s IT dude is looking at traffic showing a hacker is performing a brute force login. Good ol&#8217; Hollywood tricked non-computer savvy Foxfire-users by simply showing an active Wireshark session. Harrison Ford then shows up and issued a few commands to stall the hacker. Do you know what the command was? He typed <em>ip access-group 0<\/em>&#8230; Whoa! Here it is.<\/p>\n<p><iframe loading=\"lazy\" title=\"firewall.wmv\" width=\"500\" height=\"375\" src=\"https:\/\/www.youtube.com\/embed\/D92hau35NyY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>Anyway, I was troubleshooting an email issue and I stumbled upon the following pattern heavily populating \/var\/log\/mail.log<\/p>\n<pre>\r\n<code>Apr 6 16:06:06 mail pop3d: Disconnected, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: Disconnected, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: Connection, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: LOGIN FAILED, user=root, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: LOGIN FAILED, user=root, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: LOGIN FAILED, user=root, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: Connection, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: Disconnected, ip=[::ffff:187.17.80.67]\r\nApr 6 16:06:06 mail pop3d: Connection, ip=[::ffff:187.17.80.67]<\/code>\r\n<\/pre>\n<p>I used the following command to view the log in real-time.<br \/>\n<code>tail -f \/var\/log\/mail.log<\/code><\/p>\n<p>To stall it, one of our network ninjas appended the following to our firewall script<br \/>\n<code>iptables -t filter -I INPUT 1 -s 187.17.80.67 -j DROP<\/code><\/p>\n<p>Keep in mind that the statement above is not persistent after a reboot. You&#8217;ll have to include it into your main (firewall) script that runs automagically on boot.<\/p>\n<p>So who owns 187.17.80.67? You can do a <code>whois 187.17.80.67<\/code> and <code>dig 187.17.80.67<\/code>.<\/p>\n<p>It does seem that the IP address we blocked is possibly another company&#8217;s server that might have been compromised.<\/p>\n<p>To learn more about iptables, check this out.<br \/>\n<a href=\"http:\/\/www.linuxjournal.com\/video\/mastering-iptables-part-i\">Mastering IPTables Part 1<\/a><br \/>\n<a href=\"http:\/\/www.linuxjournal.com\/video\/mastering-iptables-part-2\">Mastering IPTables Part 2<\/a><br \/>\n<a href=\"http:\/\/www.linuxjournal.com\/video\/mastering-iptables-final-installment\">Mastering IPTables Final<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Have you seen the Harrison Ford movie, Firewall? There is a scene when one of the bank&#8217;s IT dude is looking at traffic showing a hacker is performing a brute force login. Good ol&#8217; Hollywood tricked non-computer savvy Foxfire-users by simply showing an active Wireshark session. Harrison Ford then shows up and issued a few [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":10,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":451,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/posts\/120\/revisions\/451"}],"wp:attachment":[{"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/eltonoverip.com\/blog\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}