Re: counteracting an attack?
> Hello, is there a way to have iptables call a script if a particular
> rule gets hit too often?
> I'm thinking of a script that automatically executes a
> whois/traceroute, to help track down dialup offenders.
I would consider this kind of "counteracting" als not good.
Any offensive countermeasures should be manually triggered, in order to
prevent DoS attacks and abuse of your countermeasures.
(p.e. triggering your rules with a wrong ip etc.)
A nice tool for such things is "portsentry".
I use it on one server of mine: if someone does a portscan on the
machine, the firewall goes up for that IP and blocks anything except
ssh.
(and i get a sms notfication)
Of course this could be abused as well: send packets with wrong source
IPs in order to trigger the firewall block for other's.
Or try to cause a buffer overflow in ipchains / portsentry by triggering
it too often with lots of differents IPs.
So this needs to be monitored, too.
Greetings,
Erich
Reply to: