Gentoo Archives: gentoo-security

From:	Alex Efros <powerman@×××××××.ua>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] [OT?] automatically firewalling off IPs
Date:	Mon, 31 Oct 2011 03:55:50
Message-Id:	`20051002225353.GN3481@home.power`
In Reply to:	RE: [gentoo-security] [OT?] automatically firewalling off IPs by Tad Glines

1	Hi!
2
3	On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
4	> These are the rules that I'm using.
5	>
6	> # Track connections to SSH
7	> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
8	> FIN,ACK \
9	> --dport 22 -m recent --name SSH --set
10	> -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
11	> --dport 22 -m recent --name SSH --set
12	>
13	> # Drop if connection rate exceeds 4/minute
14	> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
15	> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
16	> "SSH_limit: "
17	> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
18	> --rcheck --seconds 60 --hitcount 4 -j DROP
19	>
20	> # Drop if connection rate exceeds 20/hour
21	> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
22	> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
23	> "SSH_limit: "
24	> -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
25	> --rcheck --seconds 3600 --hitcount 20 -j DROP
26
27	What about DoS because of these rules? Imagine somebody run SSH
28	connections to your host every 10 seconds while you don't have
29	already-opened SSH connection to server...... In this case you never
30	will have a chance to log in to your server (and fix this issue)?!
31
32	--
33	WBR, Alex.
34	--
35	gentoo-security@g.o mailing list

Subject	Author
RE: [gentoo-security] [OT?] automatically firewalling off IPs	Tad Glines <tad@××××××.com>
Re: [gentoo-security] [OT?] automatically firewalling off IPs	Marc Risse <gentoo@×××××××××.name>