RE: [gentoo-security] [OT?] automatically firewalling off IPs

public inbox for gentoo-security@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Tad Glines" <tad@glines.com>
To: <gentoo-security@lists.gentoo.org>
Subject: RE: [gentoo-security] [OT?] automatically firewalling off IPs
Date: Wed, 5 Oct 2005 18:40:28 -0700	[thread overview]
Message-ID: <000001c5ca16$efd98b30$0200080a@SPRITE> (raw)
In-Reply-To: <20051002225353.GN3481@home.power>

These rules only block out the offending IP. All others remain un-blocked.

> -----Original Message-----
> From: Alex Efros [mailto:powerman@sky.net.ua]
> Sent: Sunday, October 02, 2005 3:54 PM
> To: gentoo-security@lists.gentoo.org
> Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
> 
> Hi!
> 
> On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
> > These are the rules that I'm using.
> >
> > # Track connections to SSH
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
> > FIN,ACK \
> >    --dport 22 -m recent --name SSH --set
> > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST
> \
> >    --dport 22 -m recent --name SSH --set
> >
> > # Drop if connection rate exceeds 4/minute
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
> > "SSH_limit: "
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 60 --hitcount 4 -j DROP
> >
> > # Drop if connection rate exceeds 20/hour
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
> > "SSH_limit: "
> > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
> >    --rcheck --seconds 3600 --hitcount 20 -j DROP
> 
> What about DoS because of these rules? Imagine somebody run SSH
> connections to your host every 10 seconds while you don't have
> already-opened SSH connection to server...... In this case you never
> will have a chance to log in to your server (and fix this issue)?!
> 
> --
> 			WBR, Alex.
> --
> gentoo-security@gentoo.org mailing list


-- 
gentoo-security@gentoo.org mailing list

next prev parent reply	other threads:[~2005-10-06  1:46 UTC|newest]

Thread overview: 47+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
2005-10-02 21:19 ` MaxieZ
2005-10-02 22:29   ` J Holder
2005-10-03  2:52     ` Brian Micek
2005-10-03 13:01   ` David vasil
2005-10-03 13:18     ` rpfc
2005-10-03 17:06       ` Kirk Hoganson
2005-10-04 16:25         ` boger
2005-10-04 17:16           ` Kirk Hoganson
2005-10-04 18:42             ` boger
2005-10-04 20:30               ` Kirk Hoganson
2005-10-04 20:42                 ` boger
2005-10-04 19:45             ` [gentoo-security] Port knocking Tobias Sager
2005-10-04 20:20               ` boger
2005-10-02 21:24 ` [gentoo-security] [OT?] automatically firewalling off IPs Tad Glines
2005-10-02 22:53   ` Alex Efros
2005-10-02 23:02     ` Marc Risse
2005-10-06  1:40     ` Tad Glines [this message]
2005-10-06  8:13       ` Matan Peled
2005-10-06  9:15         ` William Kenworthy
2005-10-06 10:19           ` Matan Peled
2005-10-06 12:44             ` William Kenworthy
2005-10-06 21:02             ` Kirk Hoganson
2005-10-06 21:05               ` Brian Micek
2005-10-07  2:37         ` Tad Glines
2005-10-07 18:47           ` Eric Paynter
2005-10-08 13:40             ` RADDS Support Team
2005-10-02 21:33 ` DeadManMoving
2005-10-02 21:37 ` Hemmann, Volker Armin
2005-10-02 21:56   ` Alec Joseph Warner
2005-10-02 22:13   ` xyon
2005-10-02 21:53 ` Hassan El-Masri
2005-10-02 21:57 ` Andreas Waschbuesch
2005-10-02 22:20 ` darren kirby
2005-10-03  7:53 ` Christophe Garault
2005-10-03  8:29   ` Jerry Eastmanhouser
2005-10-03 10:58 ` Dave Strydom [i*]Group
2005-10-03 12:25 ` Oscar Carlsson
2005-10-03 13:29 ` Dan Shookowsky
2005-10-03 23:26 ` Jeremy Brake
2005-10-04  6:15   ` Joerg Mertin
2005-10-04  8:55     ` Dave Strydom
2005-10-04 14:45       ` Kyle Lutze
2005-10-04 14:49         ` Dave Strydom
2005-10-04 17:42           ` Kyle Lutze
2005-10-04 17:52           ` Neil Cherry
2005-10-05 16:46       ` Robert Larson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000001c5ca16$efd98b30$0200080a@SPRITE' \
    --to=tad@glines.com \
    --cc=gentoo-security@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox