Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Marc Risse <gentoo@...>
Subject: Re: [OT?] automatically firewalling off IPs
Date: Mon, 03 Oct 2005 01:02:38 +0200
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Alex Efros schrieb:
<blockquote cite="mid20051002225353.GN3481@..." type="cite">
  <pre wrap="">Hi!

On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
  </pre>
  <blockquote type="cite">
    <pre wrap="">These are the rules that I'm using.

# Track connections to SSH
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
FIN,ACK \
   --dport 22 -m recent --name SSH --set
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
   --dport 22 -m recent --name SSH --set

# Drop if connection rate exceeds 4/minute
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -j DROP

# Drop if connection rate exceeds 20/hour
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -j DROP
    </pre>
  </blockquote>
  <pre wrap=""><!---->
What about DoS because of these rules? Imagine somebody run SSH
connections to your host every 10 seconds while you don't have
already-opened SSH connection to server...... In this case you never
will have a chance to log in to your server (and fix this issue)?!

  </pre>
</blockquote>
<br>
&nbsp;iptables -N SSH_WHITELIST<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j
SSH_WHITELIST<br>
&nbsp;iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH
-j ACCEPT<br>
&nbsp;iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH
-j ACCEPT<br>
&nbsp;iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH
-j ACCEPT<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG
--log-prefix "SSH_brute_force: "<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP<br>
<br>
Bye<br>
Marc<br>
<br>
<br>
<br>
</body>
</html>
References:
[OT?] automatically firewalling off IPs
-- Jeremy Brake
RE: [OT?] automatically firewalling off IPs
-- Tad Glines
Re: [OT?] automatically firewalling off IPs
-- Alex Efros
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [OT?] automatically firewalling off IPs
Next by thread:
Re: [OT?] automatically firewalling off IPs
Previous by date:
Jason D'silva is out of the office.
Next by date:
Re: [OT?] automatically firewalling off IPs


Updated Oct 31, 2011

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.