Re: DenyHosts

To: debian <debian-user@lists.debian.org>
Subject: Re: DenyHosts
From: Steve Matzura <number6@noisynotes.com>
Date: Sat, 16 Jan 2016 00:49:17 -0500
Message-id: <[🔎] eekj9bhpmen1fu7j9lm0lk9c6s9i5dttq2@4ax.com>
In-reply-to: <[🔎] 20160116015538.0d9f3ac269af947e278d7696@gmail.com>
References: <[🔎] vapi9b9ifknfu2rdddiu2lq35nqrdqmqop@4ax.com> <[🔎] 20160116015538.0d9f3ac269af947e278d7696@gmail.com>

Reco:

All of this is an excellent learning opportunity for me. Please bear
with me just a bit as I ask the following:

On Sat, 16 Jan 2016 01:55:38 +0300, you wrote:

>A simple solution:
>
>iptables -I INPUT -p dcp -s 59.46.71.0/24 -j DROP

`-p dcp'? manpages says:

       [!] -p, --protocol protocol
              The protocol of the rule or of the packet to check.  The
specified protocol can be one of tcp, udp, udplite, icmp, icmpv6,esp,
              ah, sctp, mh or the special  keyword  "all",  or  it can
be  a numeric  value, representing one of these protocols or a
different one.  A protocol name from /etc/protocols is  also  allowed.
...

>A complex one:
>
>iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW \
>	-m hashlimit --hashlimit 1/hour --hashlimit-burst 16 \
>	--hashlimit-mode srcip --hashlimit-name ssh \
>	--hashlimit-htable-expire 60000 -j ACCEPT

       -m, --match match
              Specifies  a  match  to  use,  that is, an extension
module that tests for a specific property. The set of matches  make up
the condition under which a target is invoked. Matches are evaluated
first to last as specified on  the  command  line  and  work in
short-circuit fashion, i.e. if one extension yields false, evaluation
will stop.

If I understand the above, in this command you are doing something
with two rule `conntrack' and `hashlimit'. But what? Adding them?
Setting rule behavior?

>iptables -I INPUT -p tcp --dport 22 --tcp-flags SYN,RST,ACK SYN \
>	-j DROP

       -j, --jump target
              This specifies the target of the rule; i.e., what to do
if  the packet  matches  it.   The  target  can  be a user-defined
chain (other than the one this rule is in), one of the special builtin
              targets  which  decide the fate of the packet
immediately, or an extension (see EXTENSIONS below).  If this option
is omitted  in a rule (and -g is not used), then matching the rule
will have no effect on the packet's fate, but the counters on the rule
will be incremented.

So if the inbound packet has some property which matches any of those
specified in the `--tcp-flags' list, drop it?

Questions:

How do these commands function to lock out specific addresses or
address ranges?

In the `--tcp-flags' list, why is `SYN' mentioned twice?

Reply to:

Follow-Ups:
- Re: DenyHosts
  - From: Reco <recoverym4n@gmail.com>

References:
- DenyHosts
  - From: Steve Matzura <sm@noisynotes.com>
- Re: DenyHosts
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: DenyHosts
Next by Date: Re: eagle-lin64-7.5.0.run, won't
Previous by thread: Re: DenyHosts
Next by thread: Re: DenyHosts
Index(es):
- Date
- Thread