1 |
Alex Efros schrieb: |
2 |
|
3 |
>Hi! |
4 |
> |
5 |
>On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote: |
6 |
> |
7 |
> |
8 |
>>These are the rules that I'm using. |
9 |
>> |
10 |
>># Track connections to SSH |
11 |
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK |
12 |
>>FIN,ACK \ |
13 |
>> --dport 22 -m recent --name SSH --set |
14 |
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ |
15 |
>> --dport 22 -m recent --name SSH --set |
16 |
>> |
17 |
>># Drop if connection rate exceeds 4/minute |
18 |
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
19 |
>> --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix |
20 |
>>"SSH_limit: " |
21 |
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
22 |
>> --rcheck --seconds 60 --hitcount 4 -j DROP |
23 |
>> |
24 |
>># Drop if connection rate exceeds 20/hour |
25 |
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
26 |
>> --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix |
27 |
>>"SSH_limit: " |
28 |
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
29 |
>> --rcheck --seconds 3600 --hitcount 20 -j DROP |
30 |
>> |
31 |
>> |
32 |
> |
33 |
>What about DoS because of these rules? Imagine somebody run SSH |
34 |
>connections to your host every 10 seconds while you don't have |
35 |
>already-opened SSH connection to server...... In this case you never |
36 |
>will have a chance to log in to your server (and fix this issue)?! |
37 |
> |
38 |
> |
39 |
> |
40 |
|
41 |
iptables -N SSH_WHITELIST |
42 |
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent |
43 |
--set --name SSH |
44 |
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST |
45 |
iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH |
46 |
-j ACCEPT |
47 |
iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH |
48 |
-j ACCEPT |
49 |
iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH |
50 |
-j ACCEPT |
51 |
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent |
52 |
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix |
53 |
"SSH_brute_force: " |
54 |
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent |
55 |
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP |
56 |
|
57 |
Bye |
58 |
Marc |