How to stop an active network connection

Discussion:

(too old to reply)

T o n g

2008-12-02 22:30:15 UTC

Hi,

How can I stop an active network connection? e.g.,

$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 192.168.0.100:ssh ip-72-55-146-217.:35911
ESTABLISHED

Because barbarians are pounding at my sshd gate again:

. . .
Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217
Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user
unknown
Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ip-72-55-146-217.static.privatedns.com
Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad
from 72.55.146.217 port 42328 ssh2
. . .

I shut down my sshd daemon, but the network bandwidth did not drop. The
active connection went away in the netstat output, which is wrong, and
iftop was able to reveal the still-live connection.

Please help.

thanks

--
Tong (remove underscore(s) to reply)
http://xpt.sourceforge.net/techdocs/
http://xpt.sourceforge.net/tools/
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Celejar

2008-12-02 22:40:05 UTC

Permalink

On Tue, 2 Dec 2008 22:26:04 +0000 (UTC)

apt-cache show cutter ?

Post by T o n g
Tong (remove underscore(s) to reply)

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Alex Samad

2008-12-03 01:30:12 UTC

Permalink

Post by Celejar
On Tue, 2 Dec 2008 22:26:04 +0000 (UTC)

apt-cache show cutter ?

I think cutter only works on routers or machines in the middle of the
tcp conversion

I would suggest using tcpdump to see the traffic on eth0 with somehting
like

tcpdump -pni eth0 -c 100

then you could use iptables to block the connection with something like

iptables -I OUTPUT -d <destination ip> -j REJECT
iptables -I INPUT -s <destination ip> -J REJECT

you could/should add better select with -p and/or --dport or --sport

Alex

Post by Celejar

Post by T o n g
Tong (remove underscore(s) to reply)

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator
--

--
"If this were a dictatorship, it'd be a heck of a lot easier, just so long as I'm the dictator."

- George W. Bush
12/19/2000
Washington, DC

Celejar

2008-12-03 06:10:07 UTC

Permalink

On Wed, 3 Dec 2008 12:26:49 +1100

Post by Alex Samad

Post by Celejar
On Tue, 2 Dec 2008 22:26:04 +0000 (UTC)

Post by T o n g
Hi,
How can I stop an active network connection? e.g.,

...

Post by Alex Samad

Post by Celejar
apt-cache show cutter ?

I think cutter only works on routers or machines in the middle of the
tcp conversion

You're right. However, I discovered that tcpkill (in the Debian dsniff
package) works fine, e.g.:

tcpkill -i eth0 dst somehost

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Andrew Reid

2008-12-03 00:00:14 UTC

Permalink

Post by T o n g
Hi,
How can I stop an active network connection? e.g.,
$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 192.168.0.100:ssh ip-72-55-146-217.:35911
ESTABLISHED
. . .
Dec 2 16:41:37 helios sshd[9201]: Invalid user chad from 72.55.146.217
Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): check pass; user
unknown
Dec 2 16:41:37 helios sshd[9201]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ip-72-55-146-217.static.privatedns.com
Dec 2 16:41:39 helios sshd[9201]: Failed password for invalid user chad
from 72.55.146.217 port 42328 ssh2
. . .
I shut down my sshd daemon, but the network bandwidth did not drop. The
active connection went away in the netstat output, which is wrong, and
iftop was able to reveal the still-live connection.

I use a thing called "fail2ban", which will monitor log entries and
dynamically update your firewall to block IP addresses which are the
source of too many failures.

I set it up years ago, and don't recall the specifics, but it's
packaged for Debian, and I recall it being reasonably straightforward
to set up.

The way I have it set up, it will block particular users who
can't get their password right after three tries. I believe it
can also be set up to block particular IP addresses that try
multiple usernames, but I'm not 100% sure.

-- A.

--
Andrew Reid / ***@bellatlantic.net
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Raj Kiran Grandhi

2008-12-03 01:50:06 UTC

Permalink

Just apt-get install denyhosts. It will update the /etc/hosts.deny
everytime it detects an abusive client.

Post by T o n g
Please help.
thanks

--
If you can't explain it simply, you don't understand it well enough.
-- Albert Einstein
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org

Michael Iatrou

2008-12-03 03:40:08 UTC

Permalink

Post by T o n g
Hi,
How can I stop an active network connection? e.g.,

Using iptables(8) you can stop any kind of traffic manually or
automagically, using something like the following (assuming that you
normally accept ssh connections):

iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 3600 --hitcount 4 -j DROP

--
Michael Iatrou (fnpk)
--
To UNSUBSCRIBE, email to debian-user-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org