Re: Fwd: iptables and networking
On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote:
> Redalert Commander a écrit :
> >
> > ---------- Forwarded message ----------
> > From: Igor Cicimov
> >
> >> You can block repeated attempts to log in with iptables using the
> >> 'recent' module, an alternative is 'fail2ban', which monitors your
> >> server logs (ssh, apache, and others) for failed login attempts and then
> >> adds an iptables rule for the offending IP.
>
> The 'recent' match is vulnerable to source IP address spoofing and can
> be abused to cause a DoS for the spoofed address. fail2ban is much less
> vulnerable to such attacks.
>
> >> In some cases the 'limit' module for iptables might be useful, for
> >> example (not really a good one):
>
> The limit match is even worse as it can be easily abused to cause a DoS
> for all clients.
>
> >> iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m
> >> limit --limit 1/min --limit-burst 3 -j ACCEPT
> >>
> >> This will only allow 1 connection attempt on an FTP server per minute,
> >> with an initial burst of 3 before limiting.
>
> So an attacker just needs to send 3 packets per minute to block all
> access for anyone to the server. Great.
>
> > Another option is the hashlimit module. Its based simply on the fact
> > that ddos sends bursts of traffic over the connection. Example below
> > for port 80 but can be applied to 22 or any othet service.
>
> Hashlimit won't protect against DDoS attacks or DoS attacks using source
> IP address spoofing.
>
IP address spoofing with TCP, what? That only works with UDP.
(Hint - three way handshake for TCP).
--
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post.
Please don't CC! I'm subscribed to whatever list I just posted on.
Reply to: