Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-security

From: Tad Glines <tad@××××××.com>
To: gentoo-security@l.g.o
Subject: RE: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Thu, 06 Oct 2005 01:46:25
Message-Id: 000001c5ca16$efd98b30$0200080a@SPRITE
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by Alex Efros
1 These rules only block out the offending IP. All others remain un-blocked.
2
3 > -----Original Message-----
4 > From: Alex Efros [mailto:powerman@×××××××.ua]
5 > Sent: Sunday, October 02, 2005 3:54 PM
6 > To: gentoo-security@l.g.o
7 > Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
8 >
9 > Hi!
10 >
11 > On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
12 > > These are the rules that I'm using.
13 > >
14 > > # Track connections to SSH
15 > > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
16 > > FIN,ACK \
17 > > --dport 22 -m recent --name SSH --set
18 > > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST
19 > \
20 > > --dport 22 -m recent --name SSH --set
21 > >
22 > > # Drop if connection rate exceeds 4/minute
23 > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
24 > > --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
25 > > "SSH_limit: "
26 > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
27 > > --rcheck --seconds 60 --hitcount 4 -j DROP
28 > >
29 > > # Drop if connection rate exceeds 20/hour
30 > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
31 > > --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
32 > > "SSH_limit: "
33 > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
34 > > --rcheck --seconds 3600 --hitcount 20 -j DROP
35 >
36 > What about DoS because of these rules? Imagine somebody run SSH
37 > connections to your host every 10 seconds while you don't have
38 > already-opened SSH connection to server...... In this case you never
39 > will have a chance to log in to your server (and fix this issue)?!
40 >
41 > --
42 > WBR, Alex.
43 > --
44 > gentoo-security@g.o mailing list
45
46
47 --
48 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] [OT?] automatically firewalling off IPs Matan Peled <chaosite@×××××.com>
Report Message
Find on MARC Find on Google Groups