Re: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)

To: Maik Holtkamp <holtkamp@medical-city.de>
Cc: debian-security@lists.debian.org
Subject: Re: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Mon, 13 Jul 2009 11:42:17 -0300
Message-id: <[🔎] 20090713144217.GA6674@khazad-dum.debian.net>
In-reply-to: <[🔎] 4A5AFA89.3000900@medical-city.de>
References: <[🔎] 4A53AD2B.4080500@techsupport.lt> <[🔎] 4A53B1CF.509@abi007.info> <[🔎] f9971d420907071415m306cb47bhad3619ee288b20e4@mail.gmail.com> <d2a5e9e0907071422t2339ba66s7d40f18fe5e714@mail.gmail.com> <[🔎] d2a5e9e0907071423n7791108ch2c890456dc6a4188@mail.gmail.com> <[🔎] 4A5AFA89.3000900@medical-city.de>

On Mon, 13 Jul 2009, Maik Holtkamp wrote:
> I decided to follow this and on the weekend iptables blocked about 70
> IPs. I am afraid that after some time the box will be DOSed by the
> crowded INPUT chain.

The only _real_ fix for that is to use IPSET (patch for netfilter) to deal
with IPv4, and config portsentry to run a script that just adds IPs to the
proper set you used to block stuff.  You can even add them with a builtin
"expire" time, so that they get unblocked three days after they were
inserted, or whatever...

I really wish IPSET was merged upstream, but it must be lacking something
fundamental to earn that right (IPv6 support, perhaps?), since it has been
around for a long time now, and it is fully maintained.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Cleanup portsentry's iptables rules
  - From: Bjørn Mork <bjorn@mork.no>

References:
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: "Ramunas / techsupport.lt" <ramunas@techsupport.lt>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Justus <justus@abi007.info>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Leandro Minatel <leandrominatel@gmail.com>
- Re: HEAD's UP: possible 0day SSH exploit in the wild
  - From: Clemens Pfaffinger <clpfaffinger@gmail.com>
- Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
  - From: Maik Holtkamp <holtkamp@medical-city.de>

Prev by Date: Re: HEAD's UP: possible 0day SSH exploit in the wild
Next by Date: Re: Cleanup portsentry's iptables rules
Previous by thread: Re: Cleanup portsentry's iptables rules (WAS: HEAD's UP: possible 0day SSH exploit in the wild)
Next by thread: Re: Cleanup portsentry's iptables rules
Index(es):
- Date
- Thread