Re: Fwd: iptables and networking
Redalert Commander a écrit :
>
> ---------- Forwarded message ----------
> From: Igor Cicimov
>
>> You can block repeated attempts to log in with iptables using the
>> 'recent' module, an alternative is 'fail2ban', which monitors your
>> server logs (ssh, apache, and others) for failed login attempts and then
>> adds an iptables rule for the offending IP.
The 'recent' match is vulnerable to source IP address spoofing and can
be abused to cause a DoS for the spoofed address. fail2ban is much less
vulnerable to such attacks.
>> In some cases the 'limit' module for iptables might be useful, for
>> example (not really a good one):
The limit match is even worse as it can be easily abused to cause a DoS
for all clients.
>> iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m
>> limit --limit 1/min --limit-burst 3 -j ACCEPT
>>
>> This will only allow 1 connection attempt on an FTP server per minute,
>> with an initial burst of 3 before limiting.
So an attacker just needs to send 3 packets per minute to block all
access for anyone to the server. Great.
> Another option is the hashlimit module. Its based simply on the fact
> that ddos sends bursts of traffic over the connection. Example below
> for port 80 but can be applied to 22 or any othet service.
Hashlimit won't protect against DDoS attacks or DoS attacks using source
IP address spoofing.
Reply to: