Re: [gentoo-security] [OT?] automatically firewalling off IPs

[Marc Risse]

Alex Efros schrieb: Hi! On Sun, Oct 02, 2005 at 02:24:23PM -0700, Tad Glines wrote: These are the rules that I'm using. # Track connections to SSH -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags FIN,ACK FIN,ACK \ --dport 22 -m recent --name SSH --set -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED --tcp-flags RST RST \ --dport 22 -m recent --name SSH --set # Drop if connection rate exceeds 4/minute -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 60 --hitcount 4 -m limit -j LOG --log-prefix "SSH_limit: " -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 60 --hitcount 4 -j DROP # Drop if connection rate exceeds 20/hour -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 3600 --hitcount 20 -m limit -j LOG --log-prefix "SSH_limit: " -A INPUT -i eth0 -p tcp --dport 22 -m recent --name SSH \ --rcheck --seconds 3600 --hitcount 20 -j DROP What about DoS because of these rules? Imagine somebody run SSH connections to your host every 10 seconds while you don't have already-opened SSH connection to server...... In this case you never will have a chance to log in to your server (and fix this issue)?!  iptables -N SSH_WHITELIST  iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH  iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST  iptables -A SSH_WHITELIST -s 217.160.x.x -m recent --remove --name SSH -j ACCEPT  iptables -A SSH_WHITELIST -s 10.0.0.0/8 -m recent --remove --name SSH -j ACCEPT  iptables -A SSH_WHITELIST -s 212.184.x.x-m recent --remove --name SSH -j ACCEPT  iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force: "  iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP Bye Marc