Gentoo Archives: gentoo-security

From: Marc Risse <gentoo@×××××××××.name>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:52
Message-Id: 4340670E.8060202@marcrisse.name
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by Alex Efros
Alex Efros schrieb:

>Hi! > >On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote: > > >>These are the rules that I'm using. >> >># Track connections to SSH >>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK >>FIN,ACK \ >> --dport 22 -m recent --name SSH --set >>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ >> --dport 22 -m recent --name SSH --set >> >># Drop if connection rate exceeds 4/minute >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ >> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix >>"SSH_limit: " >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ >> --rcheck --seconds 60 --hitcount 4 -j DROP >> >># Drop if connection rate exceeds 20/hour >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ >> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix >>"SSH_limit: " >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ >> --rcheck --seconds 3600 --hitcount 20 -j DROP >> >> > >What about DoS because of these rules? Imagine somebody run SSH >connections to your host every 10 seconds while you don't have >already-opened SSH connection to server...... In this case you never >will have a chance to log in to your server (and fix this issue)?! > > >
iptables -N SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force: " iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP Bye Marc