From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-security+bounces-282-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1RKiyV-0005Ej-0D
	for garchives@archives.gentoo.org; Mon, 31 Oct 2011 03:55:52 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 37A6721C111
	for <garchives@archives.gentoo.org>; Mon, 31 Oct 2011 03:55:50 +0000 (UTC)
Received: from marcrisse.info (marcrisse.info [217.160.220.194])
	by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j92Mt3TL019980
	for <gentoo-security@lists.gentoo.org>; Sun, 2 Oct 2005 22:55:03 GMT
Received: from localhost (localhost [127.0.0.1])
	by marcrisse.info (Postfix) with ESMTP id A89BB3FEC
	for <gentoo-security@lists.gentoo.org>; Mon,  3 Oct 2005 01:02:41 +0200 (CEST)
Received: from marcrisse.info ([127.0.0.1])
 by localhost (server [127.0.0.1]) (amavisd-new, port 10021) with ESMTP
 id 07735-01 for <gentoo-security@lists.gentoo.org>;
 Mon,  3 Oct 2005 01:02:37 +0200 (CEST)
Received: from 127.0.0.1 (localhost [127.0.0.1])
	by marcrisse.info (Postfix) with SMTP id 3E8BD3FED
	for <gentoo-security@lists.gentoo.org>; Mon,  3 Oct 2005 01:02:36 +0200 (CEST)
Received: from [10.194.36.110] (p5092091E.dip0.t-ipconnect.de [80.146.9.30])
	by marcrisse.info (Postfix) with ESMTP id 8003E3FEC
	for <gentoo-security@lists.gentoo.org>; Mon,  3 Oct 2005 01:02:32 +0200 (CEST)
Message-ID: <4340670E.8060202@marcrisse.name>
Date: Mon, 03 Oct 2005 01:02:38 +0200
From: Marc Risse <gentoo@marcrisse.name>
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: de-DE, de, en-us, en
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs
References: <43404CB8.3@lunatic.net.nz> <000001c5c797$aa732870$0200080a@SPRITE> <20051002225353.GN3481@home.power>
In-Reply-To: <20051002225353.GN3481@home.power>
Content-Type: multipart/alternative;
 boundary="------------040004010307060002030104"
X-Spam-Level: XX
X-Spam-Status: No, score=2.3 required=5.0 tests=HTML_20_30,HTML_MESSAGE,
	RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.0.4
X-Virus-Scanned: by amavisd-new at marcrisse.info
X-Archives-Salt: f9f72fa1-2b95-463c-97ff-6bbf743d55f6
X-Archives-Hash: 075d3c956b0780d55baa2ac4abbb1f22

This is a multi-part message in MIME format.
--------------040004010307060002030104
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Alex Efros schrieb:

>Hi!
>
>On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
>  
>
>>These are the rules that I'm using.
>>
>># Track connections to SSH
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
>>FIN,ACK \
>>   --dport 22 -m recent --name SSH --set
>>-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
>>   --dport 22 -m recent --name SSH --set
>>
>># Drop if connection rate exceeds 4/minute
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
>>"SSH_limit: "
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 60 --hitcount 4 -j DROP
>>
>># Drop if connection rate exceeds 20/hour
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
>>"SSH_limit: "
>>-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
>>   --rcheck --seconds 3600 --hitcount 20 -j DROP
>>    
>>
>
>What about DoS because of these rules? Imagine somebody run SSH
>connections to your host every 10 seconds while you don't have
>already-opened SSH connection to server...... In this case you never
>will have a chance to log in to your server (and fix this issue)?!
>
>  
>

 iptables -N SSH_WHITELIST
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--set --name SSH
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
 iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH 
-j ACCEPT
 iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH 
-j ACCEPT
 iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH 
-j ACCEPT
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix 
"SSH_brute_force: "
 iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent 
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

Bye
Marc




--------------040004010307060002030104
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Alex Efros schrieb:
<blockquote cite="mid20051002225353.GN3481@home.power" type="cite">
  <pre wrap="">Hi!

On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote:
  </pre>
  <blockquote type="cite">
    <pre wrap="">These are the rules that I'm using.

# Track connections to SSH
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK
FIN,ACK \
   --dport 22 -m recent --name SSH --set
-A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \
   --dport 22 -m recent --name SSH --set

# Drop if connection rate exceeds 4/minute
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 60 --hitcount 4 -j DROP

# Drop if connection rate exceeds 20/hour
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix
"SSH_limit: "
-A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \
   --rcheck --seconds 3600 --hitcount 20 -j DROP
    </pre>
  </blockquote>
  <pre wrap=""><!---->
What about DoS because of these rules? Imagine somebody run SSH
connections to your host every 10 seconds while you don't have
already-opened SSH connection to server...... In this case you never
will have a chance to log in to your server (and fix this issue)?!

  </pre>
</blockquote>
<br>
&nbsp;iptables -N SSH_WHITELIST<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j
SSH_WHITELIST<br>
&nbsp;iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH
-j ACCEPT<br>
&nbsp;iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH
-j ACCEPT<br>
&nbsp;iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH
-j ACCEPT<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG
--log-prefix "SSH_brute_force: "<br>
&nbsp;iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP<br>
<br>
Bye<br>
Marc<br>
<br>
<br>
<br>
</body>
</html>

--------------040004010307060002030104--

-- 
gentoo-security@gentoo.org mailing list