Mailing List Archive

If your interested
I have a handful of requests for the latest Korea/China sensor scripts.
I figured maybe others might be interested. I apologize in advance if
I'm spamming your inbox.

Brian
Re: If your interested [ In reply to ]
Brian Micek wrote:
> I have a handful of requests for the latest Korea/China sensor scripts.
> I figured maybe others might be interested. I apologize in advance if
> I'm spamming your inbox.
Hey Brian,

thanks for the scripts.
Just one idea for you: Why not publish these files on some internet page
and give us its URL? So you just update whenever you run into something
new and only have to put the files there. People who are interested
might check every week or so.

Best regards
Dennis
--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
> Hey Brian,
>
> thanks for the scripts.
> Just one idea for you: Why not publish these files on some internet page
> and give us its URL? So you just update whenever you run into something
> new and only have to put the files there. People who are interested
> might check every week or so.
>
> Best regards
> Dennis

They already exist ...

http://www.dayomon.net/fw/ .... txt file to copy into firewall script ..
http://www.okean.com/iptables/rc.firewall.sinokorea ........ needs a little
work as this one only drops port 25 as it stands.

I use the first one and drop the lot into the firewall script on my little
IPCop firewall. Firewall hits fell dramatically but as a home user I have no
need for connections to this part of the world.

Cheers,
Craig.

Kernel version: 2.6.13-gentoo-r3
Current Linux Uptime: 1 day 4 hours 59 minutes.
Registered Linux User: 228534
Linux the Ultimate Windows Service Pack
--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
Thank you very much for the link. I really wish I knew about these
sites before I developed my code.

Brian Micek

On Sun, 2005-10-09 at 20:59 +0800, Craig wrote:

> > Hey Brian,
> >
> > thanks for the scripts.
> > Just one idea for you: Why not publish these files on some internet page
> > and give us its URL? So you just update whenever you run into something
> > new and only have to put the files there. People who are interested
> > might check every week or so.
> >
> > Best regards
> > Dennis
>
> They already exist ...
>
> http://www.dayomon.net/fw/ .... txt file to copy into firewall script ..
> http://www.okean.com/iptables/rc.firewall.sinokorea ........ needs a little
> work as this one only drops port 25 as it stands.
>
> I use the first one and drop the lot into the firewall script on my little
> IPCop firewall. Firewall hits fell dramatically but as a home user I have no
> need for connections to this part of the world.
>
> Cheers,
> Craig.
>
> Kernel version: 2.6.13-gentoo-r3
> Current Linux Uptime: 1 day 4 hours 59 minutes.
> Registered Linux User: 228534
> Linux the Ultimate Windows Service Pack
Re: If your interested [ In reply to ]
nice but why do we need to block them?
ssh worms? or just lamers?

--
antiwmac@gmail.com
Taka John Brunkhorst
Re: If your interested [ In reply to ]
I think there is an easier way of doing this...

Why not use the GEOIP IPTABLES patch and then just use this in your
firewall:

-----------------------------------------------------------------------------------------
$IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
$IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
$IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
$IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
-----------------------------------------------------------------------------------------

This way you have 4 simple rules which do the work of that entire script.


On 10/10/05, Taka John Brunkhorst <antiwmac@gmail.com> wrote:
>
> nice but why do we need to block them?
> ssh worms? or just lamers?
>
> --
> antiwmac@gmail.com
> Taka John Brunkhorst
Re: If your interested [ In reply to ]
defence in depth: They know that a system running ssh resides at this
address so they can move onto probing for other weaknesses, you have
already identified them as probing for a known vulnerability - so why
take a chance that the next probe they do will hit on an unpatched,
unknown hole? And as far as ssh goes, if they can try one password,
they can try more and may get "lucky".

They have been identified, dont let them keep on trying each door handle
or window looking for any left unlocked.

Lastly, are you absolutely, without qualification sure that you, or
another user has not (even accidentally) run an app that is leaving the
system vulnerable, that all passwords are 100% secure and unguessable,
or that you have patched all known or *unknown* holes ...

I thought not!

BillK

On Mon, 2005-10-10 at 12:55 +0800, Taka John Brunkhorst wrote:
> nice but why do we need to block them?
> ssh worms? or just lamers?
>
> --
> antiwmac@gmail.com
> Taka John Brunkhorst
--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
It may make sense for small, limited users machines, but what about
servers that are intentionally advertising ssh for it's users globally,
so can't use port knocking, can't block all of korea (as some users
definatly connect from there) and so on...

Seems to me blocking large chunks of the net because they're a pain is a
short term solution that's going to cause long term pain for the
internet at large if it's allowed to become standard practice...

Shouldn't this list focus on the general, base level security rather
than specific work-arounds for these type of issues that don't apply to
a lot of boxen?

2c out.
Ben




Dave Strydom wrote:
> I think there is an easier way of doing this...
>
> Why not use the GEOIP IPTABLES patch and then just use this in your
> firewall:
>
> -----------------------------------------------------------------------------------------
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
> -----------------------------------------------------------------------------------------
>
> This way you have 4 simple rules which do the work of that entire script.
>
>
> On 10/10/05, *Taka John Brunkhorst* <antiwmac@gmail.com
> <mailto:antiwmac@gmail.com>> wrote:
>
> nice but why do we need to block them?
> ssh worms? or just lamers?
>
> --
> antiwmac@gmail.com <mailto:antiwmac@gmail.com>
> Taka John Brunkhorst
>
>
--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
On Mon, 2005-10-10 at 12:55 +0800, Taka John Brunkhorst wrote:

> nice but why do we need to block them?
> ssh worms? or just lamers?

I can shed light on this:

The current Linux thread seems to be minimal and consists of ssh probes
followed by brute-force ssh guessing. This is a minor threat however we
are currently living in fortunate times. Certain regions in Asia are
out of control and ISPs cannot manage their networks. Our concern is
not the present but the future when times might not be so pleasant.
Everyone remembers the SSH vulnerabilities that had no workaround other
than hiding that (sshd) service the best you could. I think we are
concerned about the future when there are no workaround for servers we
rely on.

To be honest, my ISP which is speakeasy is the worst ISP in America from
my experience when dealing with hackers. The abuse team at that ISP is
terrible, rude and inefficient and they are aware of it (however the
quality and technical support of Speakeasy lines has been excellent for
me). America as well as any other region in the world has their
problems however there are hot spots. There are sketchy reports
concerning China encouraging this behavior.

Its now a viable solution to reject these packets from your home if your
not interested in them. The penalty for doing this is adding about 300
to 1,000 rules to your kernel iptables. I have to admit censorship
against a country like China who censors their Internet (on a brilliant
level) is anti-moral to me but I'm concerned about my future.

Brian

>
> --
> antiwmac@gmail.com
> Taka John Brunkhorst


Brian Micek
Re: If your interested [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> It may make sense for small, limited users machines, but what about
> servers that are intentionally advertising ssh for it's users globally,
> so can't use port knocking, can't block all of korea (as some users
> definatly connect from there) and so on...
exactly. I would prefer a solution where an IP is automatically blocked
for a limited amount of time after, say, 3 failed login attempts.

I don't know how to do this, but maybe somebody already has a script for
something like that?

Bernhard
-----BEGIN PGP SIGNATURE-----
Comment: Public key at http://pgp.mit.edu/

iD8DBQFDSfyIlUmaCwWcOxMRAnmdAJ9W3/tBgNUcsj0f3vOnp1Xgc01vUwCdGHZV
3vPI6MdAvMdf8ooyfPmYj7s=
=a52N
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
On Mon, 2005-10-10 at 15:20 +1000, Ben Anderson wrote:

> It may make sense for small, limited users machines, but what about
> servers that are intentionally advertising ssh for it's users globally,
> so can't use port knocking, can't block all of korea (as some users
> definatly connect from there) and so on...
>

Ben, your correct ... it would be silly to block China on a commercial
server doing business with China. Those machines probably require a
secure architecture most of us light-weight users cant support.

> Seems to me blocking large chunks of the net because they're a pain is a
> short term solution that's going to cause long term pain for the
> internet at large if it's allowed to become standard practice...

Once again, censorship is silly but it works. There is something ironic
about censoring a country that censors their Internet.

>
> Shouldn't this list focus on the general, base level security rather
> than specific work-arounds for these type of issues that don't apply to
> a lot of boxen?
>
> 2c out.
> Ben
>
>
>
>
> Dave Strydom wrote:
> > I think there is an easier way of doing this...
> >
> > Why not use the GEOIP IPTABLES patch and then just use this in your
> > firewall:
> >
> > -----------------------------------------------------------------------------------------
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
> > -----------------------------------------------------------------------------------------
> >
> > This way you have 4 simple rules which do the work of that entire script.
> >
> >
> > On 10/10/05, *Taka John Brunkhorst* <antiwmac@gmail.com
> > <mailto:antiwmac@gmail.com>> wrote:
> >
> > nice but why do we need to block them?
> > ssh worms? or just lamers?
> >
> > --
> > antiwmac@gmail.com <mailto:antiwmac@gmail.com>
> > Taka John Brunkhorst
> >
> >
Re: If your interested [ In reply to ]
I just wonder where this patch resides? and for which version what version
it applies and such... I saw it in a earlier post but it got lost somewhere
in my inbox. Anybody care to post it?

Thanks.

On 10/10/05, Dave Strydom <strydom.dave@gmail.com> wrote:
>
> I think there is an easier way of doing this...
>
> Why not use the GEOIP IPTABLES patch and then just use this in your
> firewall:
>
>
> -----------------------------------------------------------------------------------------
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
>
> -----------------------------------------------------------------------------------------
>
> This way you have 4 simple rules which do the work of that entire script.
>
>
> On 10/10/05, Taka John Brunkhorst <antiwmac@gmail.com> wrote:
> >
> > nice but why do we need to block them?
> > ssh worms? or just lamers?
> >
> > --
> > antiwmac@gmail.com
> > Taka John Brunkhorst
>
>
>
Re: If your interested [ In reply to ]
On Mon, Oct 10, 2005 at 02:30:48PM +0900, Bernhard Egger wrote:
> > servers that are intentionally advertising ssh for it's users globally,
> > so can't use port knocking, can't block all of korea (as some users
> > definatly connect from there) and so on...
> exactly. I would prefer a solution where an IP is automatically blocked
> for a limited amount of time after, say, 3 failed login attempts.
>
> I don't know how to do this, but maybe somebody already has a script for
> something like that?

Check out Login Sentry as modified by Jesse Shrieve:

http://lumiere.net/~j/login_sentry/login_sentry

It uses hosts.deny, so it is also cross-platform (cross-POSIX, anyways).
Works well for me.

-D

--
/--------------- - - - - - -
| Dan Noe, freelance hacker
| http://isomerica.net/
Re: If your interested [ In reply to ]
It's part of the iptables patch-o-matic

http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/

It's a little mission to install it, but it's worth it and makes blocking
stuff a hell of a lot eaiser.


download the latest patch-o-matic-ng-XXXXXX.tar.gz
add extensions to your /etc/make.conf USE flags

----------------------
cd /usr/src
tar -xvjpf iptables-1.3.2.tar.bz2
mv iptables-1.3.2 iptables
tar xfz patch-o-matic-ng-XXXXXX.tar.gz
cd patch-o-matic-ng
IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip
------------------------

Then recompile your kernel with the geoip support (it will be in your
iptables section of the kernel at the bottom)
Reboot to use the new kernel

------------------------
cd /usr/src
mv iptables iptables-1.3.2
tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2
mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/
cd /usr/portage/net-firewall/iptables
ebuild iptables-1.3.2.ebuild digest
emerge iptables
------------------------

and thats it, some examples on how to use it can be found here:

http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html


I found this patch very VERY useful for our mail server, in South Africa,
bandwidth is expensive.. very expensive, by happy if you have a 10MB
connection, since 64K international bandwidth costs about R6000 ($950)
per/month (thats per 64K chuck of bandwidth) Local bandwidth is around R700
($110) per 64K chunk.
So the problem we had was that all incoming mail from overseas was clogging
up our international bandwidth, so by using this geoip patch i have this in
my firewall:

$IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT

In effect, this would stop any and all international mail servers outside of
south africa from connecting to mine.

So what happens to all international mail? well simple, you add two MX
records (mail records) for each domain.

so like:

whatever.com <http://whatever.com> IN MX 10
smtp.whatever.com<http://smtp.whatever.com>
.
IN MX 20 smtp2.whatever.com <http://smtp2.whatever.com>.

Because all mail fails to connect to the MX 10, it will fallback onto the MX
20.

This way i am about to virus and spam scan all international mail overseas,
and then I forward on only the clean messages (you can either open a hole in
your firewall to allow this server to connect, or setup a vpn between them)

----------------------------------------------------------------------------------------



On 10/10/05, Elisamuel Resto <user00265@gmail.com> wrote:
>
> I just wonder where this patch resides? and for which version what version
> it applies and such... I saw it in a earlier post but it got lost somewhere
> in my inbox. Anybody care to post it?
>
> Thanks.
>
> On 10/10/05, Dave Strydom <strydom.dave@gmail.com> wrote:
> >
> > I think there is an easier way of doing this...
> >
> > Why not use the GEOIP IPTABLES patch and then just use this in your
> > firewall:
> >
> >
> > -----------------------------------------------------------------------------------------
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
> > $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
> >
> > -----------------------------------------------------------------------------------------
> >
> > This way you have 4 simple rules which do the work of that entire
> > script.
> >
> >
> > On 10/10/05, Taka John Brunkhorst <antiwmac@gmail.com > wrote:
> > >
> > > nice but why do we need to block them?
> > > ssh worms? or just lamers?
> > >
> > > --
> > > antiwmac@gmail.com
> > > Taka John Brunkhorst
> >
> >
> >
>
Re: If your interested [ In reply to ]
Does anyone have a grasp on what the geolocarion data is for the
iptables country code option?
Thanks,
Brian

On Mon, 2005-10-10 at 08:06 +0200, Dave Strydom wrote:

> It's part of the iptables patch-o-matic
>
> http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
>
> It's a little mission to install it, but it's worth it and makes
> blocking stuff a hell of a lot eaiser.
>
>
> download the latest patch-o-matic-ng-XXXXXX.tar.gz
> add extensions to your /etc/make.conf USE flags
>
> ----------------------
> cd /usr/src
> tar -xvjpf iptables-1.3.2.tar.bz2
> mv iptables-1.3.2 iptables
> tar xfz patch-o-matic-ng-XXXXXX.tar.gz
> cd patch-o-matic-ng
> IPTABLES_DIR=/usr/src/iptables KERNEL_DIR=/usr/src/linux ./runme geoip
> ------------------------
>
> Then recompile your kernel with the geoip support (it will be in your
> iptables section of the kernel at the bottom)
> Reboot to use the new kernel
>
> ------------------------
> cd /usr/src
> mv iptables iptables-1.3.2
> tar -cvjpf iptables-1.3.2.tar.bz2 iptables-1.3.2
> mv iptables-1.3.2.tar.bz2 /usr/portage/distfiles/
> cd /usr/portage/net-firewall/iptables
> ebuild iptables-1.3.2.ebuild digest
> emerge iptables
> ------------------------
>
> and thats it, some examples on how to use it can be found here:
>
> http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-3.html
>
>
> I found this patch very VERY useful for our mail server, in South
> Africa, bandwidth is expensive.. very expensive, by happy if you have
> a 10MB connection, since 64K international bandwidth costs about R6000
> ($950) per/month (thats per 64K chuck of bandwidth) Local bandwidth is
> around R700 ($110) per 64K chunk.
> So the problem we had was that all incoming mail from overseas was
> clogging up our international bandwidth, so by using this geoip patch
> i have this in my firewall:
>
> $IPTABLES -A INPUT -p tcp -m geoip ! --src-cc ZA --dport 25 -j REJECT
>
> In effect, this would stop any and all international mail servers
> outside of south africa from connecting to mine.
>
> So what happens to all international mail? well simple, you add two MX
> records (mail records) for each domain.
>
> so like:
>
> whatever.com IN MX 10 smtp.whatever.com.
> IN MX 20 smtp2.whatever.com.
>
> Because all mail fails to connect to the MX 10, it will fallback onto
> the MX 20.
>
> This way i am about to virus and spam scan all international mail
> overseas, and then I forward on only the clean messages (you can
> either open a hole in your firewall to allow this server to connect,
> or setup a vpn between them)
>
> ----------------------------------------------------------------------------------------
>
>
>
> On 10/10/05, Elisamuel Resto <user00265@gmail.com> wrote:
>
> I just wonder where this patch resides? and for which version
> what version it applies and such... I saw it in a earlier post
> but it got lost somewhere in my inbox. Anybody care to post
> it?
>
> Thanks.
>
>
> On 10/10/05, Dave Strydom <strydom.dave@gmail.com> wrote:
>
> I think there is an easier way of doing this...
>
> Why not use the GEOIP IPTABLES patch and then just use
> this in your firewall:
>
> -----------------------------------------------------------------------------------------
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc CN -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc KR -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc TW -j DROP
> $IPTABLES -A INPUT -p tcp -m geoip --src-cc HK -j DROP
> -----------------------------------------------------------------------------------------
>
> This way you have 4 simple rules which do the work of
> that entire script.
>
>
> On 10/10/05, Taka John Brunkhorst <antiwmac@gmail.com>
> wrote:
>
> nice but why do we need to block them?
> ssh worms? or just lamers?
>
> --
> antiwmac@gmail.com
> Taka John Brunkhorst
>
>
>
>
>
>
>
Re: If your interested [ In reply to ]
on 2005-10-10 08:47 Brian Micek wrote the following:
> Does anyone have a grasp on what the geolocarion data is for the
> iptables country code option?

It comes from a free product by maxmind.com. See here:
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO-2.html#ss2.1

That free db then is at:
http://www.maxmind.com/app/geoip_country

No clue where maxmind exactly get their data from.

Cheers
Tobias

--
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28
Re: If your interested [ In reply to ]
Bernhard Egger wrote:
> exactly. I would prefer a solution where an IP is automatically blocked
> for a limited amount of time after, say, 3 failed login attempts.
>
> I don't know how to do this, but maybe somebody already has a script for
> something like that?
>
> Bernhard

check out denyhosts
http://denyhosts.sourceforge.net/

Mike
--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
Bernhard Egger a écrit :

> exactly. I would prefer a solution where an IP is automatically blocked
> for a limited amount of time after, say, 3 failed login attempts.
> I don't know how to do this, but maybe somebody already has a script for
> something like that?

This is exactly what fail2ban do. It's a very nice script written in
python that can block an IP for an amount of time after several login
attempts. It can monitor ssh and apache. Look at
http://sourceforge.net/projects/fail2ban or directly emerge it as it is
allready in Portage. I have it running for a couple of months and I must
say that I'm very satisfied.

--
Christophe Garault



--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
On 10/10/05, Christophe Garault <christophe@garault.org> wrote:
> This is exactly what fail2ban do. It's a very nice script written in
> python that can block an IP for an amount of time after several login
> attempts. It can monitor ssh and apache. Look at
> http://sourceforge.net/projects/fail2ban or directly emerge it as it is
> allready in Portage. I have it running for a couple of months and I must
> say that I'm very satisfied.

I don't see it in portage, is it under a different name? I see
denyhosts in portage, but that one doesn't seem to remove older bans
it added to the hosts.deny file. I'm not sure yet if Fail2Ban will do
this but Christophe Garault suggested it does.

--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Mon, 10 Oct 2005 at 11:33am, Danny wrote:

> On 10/10/05, Christophe Garault <christophe@garault.org> wrote:
>> This is exactly what fail2ban do. It's a very nice script written in
>> python that can block an IP for an amount of time after several login
>> attempts. It can monitor ssh and apache. Look at
>> http://sourceforge.net/projects/fail2ban or directly emerge it as it is
>> allready in Portage. I have it running for a couple of months and I must
>> say that I'm very satisfied.
>
> I don't see it in portage, is it under a different name? I see
> denyhosts in portage, but that one doesn't seem to remove older bans
> it added to the hosts.deny file. I'm not sure yet if Fail2Ban will do
> this but Christophe Garault suggested it does.

I haven't found fail2ban in the main portage tree, but instead setup a
local portage overlay and installed the ebuild from the sourceforge site.
I have been using fail2ban for a few months now, and can affirm that it
does remove bans after a configurable period of time.

Instead of using hosts.deny, fail2ban adds and removes rules from an
iptables firewall. After some time of doing this work manually, I
discovered that there is a limit to the number of individual IP addresses
that can be processed in a hosts.deny file that is definitely much lower
than the number of allowable rules iptables can handle.

chris

- --
Chris Shelton
- -

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDSsCdM5TknMKatUwRAhmeAKCRMecCGLBlNe6s5YxLmA1E/ZDFoACcCpM8
JMaKyHsU0eyyiPXpho2v0LE=
=oCy/
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
Danny a écrit :

> I don't see it in portage, is it under a different name?

I'm really sorry for that Danny, it's my mistake. Portage is so
incredibly powerfull I thought fail2ban was in it. ;)
In fact I didn't remember that it is in my overlay as Chris mentionned.
So what you have to do is:

- create a local overlay: /usr/local/portage and then net-firewall/fail2ban
- declare this overlay in you make.conf
- copy fail2ban-0.5.4.ebuild (see below) into
/usr/local/portage/net-firewall/fail2ban/
- create an new directory under fail2ban called 'files'
- copy fail2ban-0.5.4.tar.bz2 from sourceforge into this new directory
- run "ebuild fail2ban-0.5.4.ebuild digest"
And then simply emerge fail2ban.

Here is the ebuild:

-----------------------------
# Distributed under the terms of the GNU General Public License v2

DESCRIPTION="Bans IP that make too many password failures"
HOMEPAGE="http://sourceforge.net/projects/fail2ban"
SRC_URI="mirror://sourceforge/fail2ban/${P}.tar.bz2"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~x86 ~amd64"
IUSE=""
DEPEND=">=dev-lang/python-2.3"

src_install() {
# Use python setup
python setup.py install --root=${D} || die

# Use fail2ban.conf.default as default config file
insinto /etc
newins config/fail2ban.conf.default fail2ban.conf
# Install initd scripts
exeinto /etc/init.d
newexe config/gentoo-initd fail2ban
insinto /etc/conf.d
newins config/gentoo-confd fail2ban
# Doc
doman man/*.[0-9]
dodoc CHANGELOG README TODO
}

pkg_postinst() {
# The user must edit the config file
echo ""
einfo "Please edit /etc/fail2ban.conf with parameters"
einfo "which correspond to your system."
echo ""
}

--
Christophe Garault


--
gentoo-security@gentoo.org mailing list
Re: If your interested [ In reply to ]
Brian Micek wrote:
> I have a handful of requests for the latest Korea/China sensor scripts.
> I figured maybe others might be interested. I apologize in advance if
> I'm spamming your inbox.
>
> Brian

I have a question about these scripts, how could I add to them so it'll
log from which country it's coming from? so, I have the scripts set to
block each country, but I want it to say in my logs

request from $country has been dropped.

I want to figure out where most of my requests come from

Kyle
--
gentoo-security@gentoo.org mailing list