Prihlásiť sa Odoslať Novinky :: FAQ :: Rozšírené vyhľadávanie :: Napísali o nás :: Ankety
Main Menu
· Home
· 
· FAQ
· 
· Diskusia
· 
Main Menu
· Domov

Moduly
· AvantGo
· Downloads
· FAQ
· News
· Recommend Us
· Reviews
· Search
· Sections
· Stats
· Topics
· Top List
· Web Links
· Forum
Jazyk
Výber jazykovej mutácie:

FAQ  •  Search  •  Register  •  Log in to check your private messages
Log in  •  Maximize
The time now is 19.04.2024 - 17:59

SKFREE Forum Index » Mikrotik™ Podpora » Mikrotik™ Podpora

Rules na inpute MT

Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
 
Author Message
orin
Post subject: Rules na inpute MT  PostPosted: 17.04.2007 - 08:30 #49370
Basic


Joined: Apr 19, 2004
Posts: 159
Mam verejnu IP, Kazdy den logujem utoky zvonku cez SSH a login failures. Ako mozem pouzit chain INPUT, IN interface WAN a dropnut prevadzku mimo 213.0.0.0 ? dakujem. Resp prosim o popis nastavenia
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
zelmar
Post subject: RE: Rules na inpute MT  PostPosted: 17.04.2007 - 21:44 #49382
Guru


Joined: Okt 23, 2005
Posts: 1031
Location: /etc/bin/ladin
No napriklad:

iptables -I INPUT -s ! 213.0.0.0/8 -p tcp --dport 22 -j DROP

kombinacii je neurekom
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
icerowicz
Post subject: Rules na inpute MT  PostPosted: 18.04.2007 - 10:08 #49401
Ucen


Joined: Apr 12, 2006
Posts: 930
Location: Vranov nad Topľou
orin wrote: ›Mam verejnu IP, Kazdy den logujem utoky zvonku cez SSH a login failures. Ako mozem pouzit chain INPUT, IN interface WAN a dropnut prevadzku mimo 213.0.0.0 ? dakujem. Resp prosim o popis nastavenia


toz a nemoze hodit len svoju ip na pristup na neho ? Myslim pre ssh.
 
 View user's profile Send private message Visit poster's website ICQ Number 
Reply with quote Back to top
si
Post subject: RE: Rules na inpute MT  PostPosted: 18.04.2007 - 13:31 #49425
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
icerowicz, orin: taketo nastavenia idealne ocenite pokial sa vam nahodou nieco zj... a budete sa potrebovat prihlasit odniekadial z prdele a nepojde vam to... a zakaznici budu pitchovat ze nieco nejde a pritom by ti stacilo sa len prihlasit a nieco na dialku upravit... Smile
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
airbilly
Post subject: RE: Rules na inpute MT  PostPosted: 18.04.2007 - 14:15 #49431
Guru


Joined: Mar 13, 2005
Posts: 1867
Location: Nitra
si wrote: ›icerowicz, orin: taketo nastavenia idealne ocenite pokial sa vam nahodou nieco zj... a budete sa potrebovat prihlasit odniekadial z prdele a nepojde vam to... a zakaznici budu pitchovat ze nieco nejde a pritom by ti stacilo sa len prihlasit a nieco na dialku upravit... Smile

Ale nie, stale sa tam da lognut napr cez winbox a tam si hned povolit pristup z lubovolnej IP
 
 View user's profile Send private message Send e-mail Visit poster's website MSN Messenger ICQ Number 
Reply with quote Back to top
magnum
Post subject: RE: Rules na inpute MT  PostPosted: 18.04.2007 - 14:19 #49433
Basic


Joined: Okt 12, 2003
Posts: 354
to su tie zahady mkt-u ktore ja v zivote nepochopim... ale neva... a na winbox sa nikto netlaci???

sak prehodim ssh na nejaky port niekde v prdeli vysoko a hotovo...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
si
Post subject: RE: Rules na inpute MT  PostPosted: 18.04.2007 - 14:36 #49435
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
airbilly: no som zvedavy ako si budes instalovat neaky winbox na mobil niekde v prdeli v horach ked sa ti nieco zrube Smile
a ten co sa ti tam fakt ze bude chciet dostat, tak si ten winbox kludne zozenie tiez...
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
qido
Post subject: RE: Rules na inpute MT  PostPosted: 18.04.2007 - 15:10 #49440
Basic


Joined: Máj 31, 2006
Posts: 292
si wrote: ›airbilly: no som zvedavy ako si budes instalovat neaky winbox na mobil niekde v prdeli v horach ked sa ti nieco zrube Smile
a ten co sa ti tam fakt ze bude chciet dostat, tak si ten winbox kludne zozenie tiez...


Smile ja by som xel vidiet taky uspesny utok nalogovanim sa cez ssh... teda ked na tej masine nie je nejaky svihnuty admin...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
si
Post subject: RE: Rules na inpute MT  PostPosted: 18.04.2007 - 17:00 #49450
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
qido: ja tiez Smile ale co uz Smile akurat aby ma netrapili prilis velke mnozstva pokusov o logovanie sa scriptov co skusaju rozne default hesla z niektorych distier, tak mam obmedzene mnozstvo pokusov o ssh z vonkajsich IP na neake rozumne nizke cislo za minutu Smile normalny clovek nezaplni a utocnika rychlo posle do drop-u Smile
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
orin
Post subject: Ojojoj SI  PostPosted: 19.04.2007 - 14:02 #49504
Basic


Joined: Apr 19, 2004
Posts: 159
si wrote: ›qido: ja tiez Smile ale co uz Smile akurat aby ma netrapili prilis velke mnozstva pokusov o logovanie sa scriptov co skusaju rozne default hesla z niektorych distier, tak mam obmedzene mnozstvo pokusov o ssh z vonkajsich IP na neake rozumne nizke cislo za minutu Smile normalny clovek nezaplni a utocnika rychlo posle do drop-u Smile


Teraz si SI jeb... udrel klincek pekne po hlavicke. O toto presne ide. Testuju loginy pod x menami. Mozes poslat skript ?
Obmedzit SSH na IP nemozem, potrebujem sa prihlasovat z Orange, e-Telu, GTS, zo zahr. Takze s tymto suhlasim s prispievatelmi z hor
Takze obmedzenie poctu loginov SSH za minutu je to prave riesenie. Dik za tip a posli script
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
magnum
Post subject: RE: Rules na inpute MT  PostPosted: 19.04.2007 - 15:42 #49509
Basic


Joined: Okt 12, 2003
Posts: 354
script ??? Smile Smile

iptables -N LIMIT
iptables -F LIMIT
iptables -I INPUT 1 -i [waniface] -j LIMIT
iptables -A LIMIT -i [waniface] -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A LIMIT -p tcp --dport 22 -i [waniface] -m state --state NEW -m recent --update --seconds 60 --hitcount 3 -j DROP
iptables -A LIMIT -j RETURN

a mas to komplet Wink

edit:
pardon to waniface si nahrad nazvom NIC co mas na verejnej strane... + si tam pozes dorobit aj ip-cky s -s...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
si
Post subject: RE: Rules na inpute MT  PostPosted: 19.04.2007 - 16:08 #49511
Majster


Joined: Jan 12, 2003
Posts: 4250
Location: /dev/null
priklad:
Code: ›
/usr/sbin/iptables -N ssh
/usr/sbin/iptables -I ssh -s 1.2.3.4 -j ACCEPT
/usr/sbin/iptables -I ssh -s 5.6.7.8 -j ACCEPT
/usr/sbin/iptables -A ssh -m state --state NEW -m recent --set --name ssh --rsource -j ACCEPT
/usr/sbin/iptables -A ssh -m recent --update --seconds 300 --hitcount 10 --rttl --name ssh --rsource -m limit --limit 5/sec -j DROP
/usr/sbin/iptables -I INPUT -i eth0 -p tcp --dport 22 -j ssh

kde este ako doplnok k tomu co postol magnut je ze IP 1.2.3.4 1 5.6.7.8 sa netestuju a su automaticky povazovane za korektne (ked vies ze z danych IP lozievas pravidelne ty a nik iny tak aby ta neaky nahodny script utociaci na tvoju IP zbytocne neodrezal Smile )
 
 View user's profile Send private message Send e-mail Visit poster's website  
Reply with quote Back to top
Display posts from previous:     
All times are GMT
Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
 
Jump to:  

SKFREE Forum Index » Mikrotik™ Podpora » Mikrotik™ Podpora
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits

(C) SKFree 2002-2010: Powered by POSTNUKE. Môžete prebera? naše správy vo formáte XML(RSS)