Re: Attempt on smtpd / faking remote ip

To: debian-isp@lists.debian.org
Subject: Re: Attempt on smtpd / faking remote ip
From: Ralph Paßgang <ralph@debianbase.de>
Date: Tue, 6 Apr 2004 19:15:22 +0200
Message-id: <[🔎] 200404061915.22563.ralph@debianbase.de>
In-reply-to: <a06020400bc987d9bc27d@[192.168.0.10]>
References: <a06020401bc9578fbdcc4@[192.168.0.10]> <[🔎] 200404042359.46853.ralph@debianbase.de> <a06020400bc987d9bc27d@[192.168.0.10]>

Am Dienstag 06 April 2004 17:37 schrieben Sie:
> Hi Ralph,
>
> thanks for the hint.
> [...]
> I did it like this, but after the first line
> iptables said: "cannot use parameter -o with
> INPUT" (or something like this - I can't remember
> exactly).
>
> So I left out "-o lo" at the INPUT rule, and also
> left out "-i lo" at the OUTPUT rule. Thne
> everything was fine. Now I hope that it'll do
> what it is supposed to.

sorry, you made it right. I made the mistake, because I just wrote the rules 
down without checking them on a system :)

Because INPUT and OUTPUT doesn't FORWARD any traffic, there is of course only 
a -i (input device) for the INPUT rule and a -o (output device) for the 
OUTPUT rule. More interfaces would be nonsense here :)

Another thing for makeing you box a bit safer is to set:
/proc/sys/net/ipv4/conf/all/rp_filter to 1 (after every reboot by: echo "1" 
> /proc/sys/net/ipv4/conf/rp_filter)

The debian way of setting these "proc" settings is by edditing 
the /etc/network/options. You should use that, because so you don't have to 
make this after every reboot.

For the rp_filter you need to set "spoofprotect=yes". 

the other options:
On a normal linux bux (that is not accting as router/gateway etc.) the 
ip_forward should be set to "no". Don't set this on a box with more than one 
interface that should forward traffic between these interfaces or otherwise 
your setup will not work anymore.

The syncookies should help if a DOS/DDOS attack is made against your host. So 
setting this to "yes" should be the better choice :) But I have never really 
tested this feature... On the most boxes this is set to "no", so you have to 
decide what you like. Because you are german: 

If you have a nice provider (there are a few, the most quite small, I heard 
*g*) then you can ask him to block all private and localhost spoofed packets 
already on his border gateways. If you are a private customer with dsl on a 
big provider you can forget that. Nobody will care about such stuff...
There are quite a lot of isp's out there that route private- and localhost 
addresses in their backbone which is absolutly nonsense. Who wants such 
packets? Even if they are not used for an attack they are useless, because 
the other side will never get an answer :) This is the best way normaly, 
because so you don't get any obviously spoofed traffic. 

> >and for the mail script you use... check your weblog for the time you saw
> > the misterous connections in postfix. If there was something you should
> > see the hits the access.log
>
> I have had checked it before my last posting: no entries.

okay, so the webserver should be fine... but there is of course no warranty 
for that.

>
> Thanks again,
> Andreas

Reply to:

Follow-Ups:
- Re: Attempt on smtpd / faking remote ip
  - From: Ralph Paßgang <ralph@debianbase.de>

References:
- Attempt on smtpd / faking remote ip
  - From: Andreas Vent-Schmidt <a.vent@procommerz.de>
- Re: Attempt on smtpd / faking remote ip
  - From: Ralph Paßgang <ralph@debianbase.de>
- Re: Attempt on smtpd / faking remote ip
  - From: Andreas Vent-Schmidt <a.vent@procommerz.de>

Prev by Date: Re: Attempt on smtpd / faking remote ip
Next by Date: Re: Attempt on smtpd / faking remote ip
Previous by thread: Re: Attempt on smtpd / faking remote ip
Next by thread: Re: Attempt on smtpd / faking remote ip
Index(es):
- Date
- Thread