Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Marc Risse <gentoo@×××××××××.name>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Mon, 31 Oct 2011 03:55:52
Message-Id: 4340670E.8060202@marcrisse.name
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by Alex Efros
1 Alex Efros schrieb:
2
3 >Hi!
4 >
5 >On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
6 >
7 >
8 >>These are the rules that I'm using.
9 >>
10 >># Track connections to SSH
11 >>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
12 >>FIN,ACK \
13 >> --dport 22 -m recent --name SSH --set
14 >>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
15 >> --dport 22 -m recent --name SSH --set
16 >>
17 >># Drop if connection rate exceeds 4/minute
18 >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
19 >> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
20 >>"SSH_limit: "
21 >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
22 >> --rcheck --seconds 60 --hitcount 4 -j DROP
23 >>
24 >># Drop if connection rate exceeds 20/hour
25 >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
26 >> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
27 >>"SSH_limit: "
28 >>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
29 >> --rcheck --seconds 3600 --hitcount 20 -j DROP
30 >>
31 >>
32 >
33 >What about DoS because of these rules? Imagine somebody run SSH
34 >connections to your host every 10 seconds while you don't have
35 >already-opened SSH connection to server...... In this case you never
36 >will have a chance to log in to your server (and fix this issue)?!
37 >
38 >
39 >
40
41 iptables -N SSH_WHITELIST
42 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
43 --set --name SSH
44 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
45 iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH
46 -j ACCEPT
47 iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH
48 -j ACCEPT
49 iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH
50 -j ACCEPT
51 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
52 --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix
53 "SSH_brute_force: "
54 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
55 --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
56
57 Bye
58 Marc
Report Message
Find on MARC Find on Google Groups