Gentoo Archives: gentoo-security

From: Alex Efros <powerman@×××××××.ua>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:50
Message-Id: 20051002225353.GN3481@home.power
In Reply to: RE: [gentoo-security] [OT?] automatically firewalling off IPs by Tad Glines
Hi!

On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> These are the rules that I'm using. > > # Track connections to SSH > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK > FIN,ACK \ > --dport 22 -m recent --name SSH --set > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ > --dport 22 -m recent --name SSH --set > > # Drop if connection rate exceeds 4/minute > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix > "SSH_limit: " > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > --rcheck --seconds 60 --hitcount 4 -j DROP > > # Drop if connection rate exceeds 20/hour > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix > "SSH_limit: " > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > --rcheck --seconds 3600 --hitcount 20 -j DROP
What about DoS because of these rules? Imagine somebody run SSH connections to your host every 10 seconds while you don't have already-opened SSH connection to server...... In this case you never will have a chance to log in to your server (and fix this issue)?! -- WBR, Alex. -- gentoo-security@g.o mailing list

Replies

Subject Author
RE: [gentoo-security] [OT?] automatically firewalling off IPs Tad Glines <tad@××××××.com>
Re: [gentoo-security] [OT?] automatically firewalling off IPs Marc Risse <gentoo@×××××××××.name>