1 |
These rules only block out the offending IP. All others remain un-blocked. |
2 |
|
3 |
> -----Original Message----- |
4 |
> From: Alex Efros [mailto:powerman@×××××××.ua] |
5 |
> Sent: Sunday, October 02, 2005 3:54 PM |
6 |
> To: gentoo-security@l.g.o |
7 |
> Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs |
8 |
> |
9 |
> Hi! |
10 |
> |
11 |
> On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote: |
12 |
> > These are the rules that I'm using. |
13 |
> > |
14 |
> > # Track connections to SSH |
15 |
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK |
16 |
> > FIN,ACK \ |
17 |
> > --dport 22 -m recent --name SSH --set |
18 |
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST |
19 |
> \ |
20 |
> > --dport 22 -m recent --name SSH --set |
21 |
> > |
22 |
> > # Drop if connection rate exceeds 4/minute |
23 |
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
24 |
> > --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix |
25 |
> > "SSH_limit: " |
26 |
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
27 |
> > --rcheck --seconds 60 --hitcount 4 -j DROP |
28 |
> > |
29 |
> > # Drop if connection rate exceeds 20/hour |
30 |
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
31 |
> > --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix |
32 |
> > "SSH_limit: " |
33 |
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ |
34 |
> > --rcheck --seconds 3600 --hitcount 20 -j DROP |
35 |
> |
36 |
> What about DoS because of these rules? Imagine somebody run SSH |
37 |
> connections to your host every 10 seconds while you don't have |
38 |
> already-opened SSH connection to server...... In this case you never |
39 |
> will have a chance to log in to your server (and fix this issue)?! |
40 |
> |
41 |
> -- |
42 |
> WBR, Alex. |
43 |
> -- |
44 |
> gentoo-security@g.o mailing list |
45 |
|
46 |
|
47 |
-- |
48 |
gentoo-security@g.o mailing list |