1 |
Hi! |
2 |
|
3 |
On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote: |
4 |
> These are the rules that I'm using. |
5 |
> |
6 |
> # Track connections to SSH |
7 |
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK |
8 |
> FIN,ACK \ |
9 |
> --dport 22 -m recent --name SSH --set |
10 |
> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ |
11 |
> --dport 22 -m recent --name SSH --set |
12 |
> |
13 |
> # Drop if connection rate exceeds 4/minute |
14 |
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
15 |
> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix |
16 |
> "SSH_limit: " |
17 |
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
18 |
> --rcheck --seconds 60 --hitcount 4 -j DROP |
19 |
> |
20 |
> # Drop if connection rate exceeds 20/hour |
21 |
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
22 |
> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix |
23 |
> "SSH_limit: " |
24 |
> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
25 |
> --rcheck --seconds 3600 --hitcount 20 -j DROP |
26 |
|
27 |
What about DoS because of these rules? Imagine somebody run SSH |
28 |
connections to your host every 10 seconds while you don't have |
29 |
already-opened SSH connection to server...... In this case you never |
30 |
will have a chance to log in to your server (and fix this issue)?! |
31 |
|
32 |
-- |
33 |
WBR, Alex. |
34 |
-- |
35 |
gentoo-security@g.o mailing list |