From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1ENKq1-0008Go-1E for garchives@archives.gentoo.org; Thu, 06 Oct 2005 01:46:25 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j961aPKd005659; Thu, 6 Oct 2005 01:36:25 GMT Received: from scout.glines.com (scout.glines.com [69.9.187.110]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j961VurL010716 for ; Thu, 6 Oct 2005 01:31:59 GMT Received: (qmail 13883 invoked by uid 89); 6 Oct 2005 01:40:26 -0000 Received: from unknown (HELO SPRITE) (tad@glines.com@10.8.0.2) by scout.glines.com with (RC4-MD5 encrypted) SMTP; 6 Oct 2005 01:40:26 -0000 From: "Tad Glines" To: Subject: RE: [gentoo-security] [OT?] automatically firewalling off IPs Date: Wed, 5 Oct 2005 18:40:28 -0700 Message-ID: <000001c5ca16$efd98b30$0200080a@SPRITE> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 Importance: Normal In-Reply-To: <20051002225353.GN3481@home.power> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id j961VurL010716 X-Archives-Salt: 3037f10e-2e86-40ef-89dc-870858acb69b X-Archives-Hash: c6b40a65392425aa1443bc5a0049e715 These rules only block out the offending IP. All others remain un-blocked. > -----Original Message----- > From: Alex Efros [mailto:powerman@sky.net.ua] > Sent: Sunday, October 02, 2005 3:54 PM > To: gentoo-security@lists.gentoo.org > Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs > > Hi! > > On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote: > > These are the rules that I'm using. > > > > # Track connections to SSH > > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK > > FIN,ACK \ > > --dport 22 -m recent --name SSH --set > > -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST > \ > > --dport 22 -m recent --name SSH --set > > > > # Drop if connection rate exceeds 4/minute > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix > > "SSH_limit: " > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 60 --hitcount 4 -j DROP > > > > # Drop if connection rate exceeds 20/hour > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix > > "SSH_limit: " > > -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ > > --rcheck --seconds 3600 --hitcount 20 -j DROP > > What about DoS because of these rules? Imagine somebody run SSH > connections to your host every 10 seconds while you don't have > already-opened SSH connection to server...... In this case you never > will have a chance to log in to your server (and fix this issue)?! > > -- > WBR, Alex. > -- > gentoo-security@gentoo.org mailing list -- gentoo-security@gentoo.org mailing list