Re: question about SSH / IPTABLES

To: Giacomo Mulas <gmulas@ca.astro.it>
Cc: debian-security@lists.debian.org
Subject: Re: question about SSH / IPTABLES
From: Guille -bisho- <bisho@eurielec.etsit.upm.es>
Date: Fri, 24 Jan 2003 03:21:48 +0100
Message-id: <[🔎] 20030124022147.GA12039@eurielec.etsit.upm.es>
In-reply-to: <[🔎] Pine.LNX.4.44.0301231616590.23927-100000@capitanata.ca.astro.it>
References: <[🔎] 20030123142744.GN15544@virus.home> <[🔎] Pine.LNX.4.44.0301231616590.23927-100000@capitanata.ca.astro.it>

A simpler way would be use:

- The connection tracking abilities of the iptables.
  For example DROP NEW connections from upper ports
  (this way you are not going to have problems with stablished
  conections as the ssh login into the machine)

OR:

- At TCP level, match flag like SYN to avoid stablishing conections.
  (faster than the conn traq, and requires less memory)

- Use this in conjuction with the user id matchings

- DROP all UDP traffic (it has no connections, so we can't limit
  stablishing new connections from our server)

All this of course on the OUTPUT chain

-- 
        .,,,   Guillermo Pérez    -=] 24/01/2003 [=-
      _' .,,,,  - bisho@ ( onirica.com | eurielec.etsit.upm.es )
     (v)/ ,''
      ( \/    ::            Marea Negra. Políticos ciegos.            ::
bisho! ``\\

Reply to:

References:
- Re: question about SSH / IPTABLES
  - From: Jean Christophe ANDRÉ <jean-christophe.andre@auf.org>
- Re: question about SSH / IPTABLES
  - From: Giacomo Mulas <gmulas@ca.astro.it>

Prev by Date: Re: question about SSH / IPTABLES
Next by Date: Re: question about SSH / IPTABLES
Previous by thread: Re: question about SSH / IPTABLES
Next by thread: Re: question about SSH / IPTABLES
Index(es):
- Date
- Thread