Dropping connections immediately

I've got a Perl script that watches my auth log and adds an iptables entry for
anyone trying more than 20 bad passwords.

Problem is, this doesn't drop existing connections. So if they're trying
100,020 bad passwords I let 100,000 through.

Can anyone suggest a way to drop an existing connection? The obvious:

route add <ip address> reject

is marked as a Bad Thing in the man page:

"This is for example used to mask out networks before using the default
route. This is NOT for firewalling."

Thanks much...

--
tim boyer
(E-Mail Removed)

On Thu, 18 Jan 2007 23:02:14 -0500, Tim Boyer <(E-Mail Removed)>
wrote:

>I've got a Perl script that watches my auth log and adds an iptables entry for
>anyone trying more than 20 bad passwords.
>
>Problem is, this doesn't drop existing connections.

Then you're doing it wrong.

iptables will instantly drop if you insert a drop rule into the
correct chain. For example:

iptables -I FORWARD -d $BADBOY -j DROP
iptables -I FORWARD -s $BADBOY -j DROP

will stop the IP associated with $BADBOY, and do it NOW, when the
packet traverses the FORWARD chain. To find out which chain, -j LOG
rather than DROP and add 2 more rules, one for INPUT and another for
OUTPUT:
iptables -I INPUT -s $BADBOY -j LOG
iptables -I OUTPUT -d $BADBOY -j LOG
--
buck

On Thu, 18 Jan 2007 22:08:13 -0800, buck <(E-Mail Removed)> wrote:

>On Thu, 18 Jan 2007 23:02:14 -0500, Tim Boyer <(E-Mail Removed)>
>wrote:
>
>>I've got a Perl script that watches my auth log and adds an iptables entry for
>>anyone trying more than 20 bad passwords.
>>
>>Problem is, this doesn't drop existing connections.
>
>Then you're doing it wrong.
>
>iptables will instantly drop if you insert a drop rule into the
>correct chain. For example:
>
>iptables -I FORWARD -d $BADBOY -j DROP
>iptables -I FORWARD -s $BADBOY -j DROP
>
>will stop the IP associated with $BADBOY, and do it NOW, when the
>packet traverses the FORWARD chain. To find out which chain, -j LOG
>rather than DROP and add 2 more rules, one for INPUT and another for
>OUTPUT:
>iptables -I INPUT -s $BADBOY -j LOG
>iptables -I OUTPUT -d $BADBOY -j LOG

I'm doing

iptables -I FORWARD -m state -s $1 -i wp1ppp --state ESTABLISHED,NEW -j DROP

Looks like I'm trying too hard. Thanks for the help!

-- tim --
--
tim boyer
(E-Mail Removed)

Why don't you save yourself some trouble and just install OSSEC? It
does exactly what you're trying to do and a lot more.

OSSEC is an Open Source Host-based Intrusion Detection System. It
performs log analysis, integrity checking, Windows registry monitoring,
rootkit detection, time-based alerting and active response.

http://www.ossec.net/



On Jan 19, 4:01 am, Tim Boyer <t...@denmantire.com> wrote:
> On Thu, 18 Jan 2007 22:08:13 -0800, buck <b...@private.mil> wrote:
> >On Thu, 18 Jan 2007 23:02:14 -0500, Tim Boyer <t...@denmantire.com>
> >wrote:
>
> >>I've got a Perl script that watches my auth log and adds an iptables entry for
> >>anyone trying more than 20 bad passwords.
>
> >>Problem is, this doesn't drop existing connections.
>
> >Then you're doing it wrong.
>
> >iptables will instantly drop if you insert a drop rule into the
> >correct chain. For example:
>
> >iptables -I FORWARD -d $BADBOY -j DROP
> >iptables -I FORWARD -s $BADBOY -j DROP
>
> >will stop the IP associated with $BADBOY, and do it NOW, when the
> >packet traverses the FORWARD chain. To find out which chain, -j LOG
> >rather than DROP and add 2 more rules, one for INPUT and another for
> >OUTPUT:
> >iptables -I INPUT -s $BADBOY -j LOG
> >iptables -I OUTPUT -d $BADBOY -j LOGI'm doing
>
> iptables -I FORWARD -m state -s $1 -i wp1ppp --state ESTABLISHED,NEW -j DROP
>
> Looks like I'm trying too hard. Thanks for the help!
>
> -- tim --
> --
> tim boyer
> t...@denmantire.com