List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Tuesday 09 November 2004 02:52 pm, William Yang wrote:
> Philipp Kern wrote:
> > On Tue, 2004-11-09 at 15:43, William Yang wrote:
> >>There's an awful lot of "intrusion prevention" or "active response IDS"
> >>[and insert your favorite en-vogue terminology] out there in the market,
> >>and people buy it.
> > Yes. But the software you mentioned doesn't block your own hosts as a
> > simple shellscript would do. That's what the original poster wanted... a
> > more or less ``simple'' script to parse /var/log/secure and block the
> > IPs using iptables.
> Uhm... I suppose I read the request a little less literally. It seems
> pretty clear -- at least to me -- that the original poster's idea is to
> limit ssh port probing using the features of the kernel-level firewall.
> "Simple" seems to be a somewhat relative term here. I take simple to
> be "the smallest amount of logic needed to accomplish the goal with the
> fewest adverse effects" rather than "the smallest amount of logic
That would be correct. SSH and the iptables rules are already configured to
do sojme handling on spoofed packets, so the utility of this type of active
defense as a DoS attack is pretty limited. I suppose if I really wanted to
avoid possible DoS, I could add a rule chain before the INPUT chain that
explicitly allowed my IP's and sent all the packets past the INPUT chain to
the rule chain that defines more fine-grained access corntrol. I jsut don't
see DoS as a real threat, since the packets need to hadshake before the login
can progress anyway, wihch requires a real routable address, presumably
outside my network.
email@example.com mailing list