[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Blocking SSH attackers

Tony Godshall said:

>> I just recently started using iptables to do this. It's worked really
>> well for me so far. See the debian-isp archive link below.
>> http://lists.debian.org/debian-isp/2005/10/msg00051.html
> I don't see any mechanism to limit the number of entries in
> your blocked list... this would seem to increase your 
> vulnerability to a multi-source DOS attack.

I may be missing your point but..
Below is taken from the --recent module documentation.

  This option must be used in conjunction with one of 'rcheck' or
  update'.  When used, this will narrow the match to only happen
  when the address is in the list and the TTL of the current packet
  matches that of the packet which hit the --set rule.  This may be
  useful if you have problems with people faking their source
  address in order to DoS you via this module by disallowing others
  access to your site by sending bogus packets to you.

also, the recent module takes arguments. So the list size is finite.

The module itself accepts two parameters:

Shown are the defaults.
ip_list_tot is the total number of addresses which will be
remembered, note that the list is searched in-order for every
attempted match and so you do not want to increase this value
too much or alot of time will be spent traversing the list.

ip_pkt_list_tot is the total number of packets which will
be remembered for each address.  This list is only used by
'--hitcount' and so the default will probably suffice
unless you make extensive use of that option.



Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: