Hi all
ks there iptables rules to limit attack?
Thank you
---------------------------------
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot
with the All-new Yahoo! Mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.centos.org/pipermail/centos/attachments/20090226/a5741af7/attachment.html
On Thu, February 26, 2009 10:52 am, chloe K wrote:> Hi all > > ks there iptables rules to limit attack? > > Thank you > > > ---------------------------------Could you give a little more info? Bo Lynch
chloe K wrote:> Hi all > > ks there iptables rules to limit attack? > > Thank you >Hi, Below is an example that I use to limit the rate of new connections to a particular port/service. You should be able to mold this to work with whatever service you would like to protect. Add the first line to your main input chain. This will limit new connections to tcp/22 to a rate of 4/minute/uniqueIP. Another benefit for me, is that this uses the modules that come with the CentOS stock kernel... no extra mussing to get it to work. Andy -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 / --state NEW -j SSH_CHECK -A SSH_CHECK -s *WHITELIST ADDRESSES* -j ACCEPT -A SSH_CHECK -m recent --set --name SSH --rsource -A SSH_CHECK -m recent -j LOG --log-prefix "SSH Drop " / --update --seconds 60 --hitcount 4 --name SSH --rsource -A SSH_CHECK -m recent -j DROP --update --seconds 60 --hitcount / 4 --name SSH --rsource -A SSH_CHECK -j ACCEPT
Thank you Can I know how to define the "SSH_CHECK" and white list? I only know to use iptables -A Thank you Andrew Hull <list at racc2000.com> wrote: chloe K wrote:> Hi all > > ks there iptables rules to limit attack? > > Thank you >Hi, Below is an example that I use to limit the rate of new connections to a particular port/service. You should be able to mold this to work with whatever service you would like to protect. Add the first line to your main input chain. This will limit new connections to tcp/22 to a rate of 4/minute/uniqueIP. Another benefit for me, is that this uses the modules that come with the CentOS stock kernel... no extra mussing to get it to work. Andy -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 / --state NEW -j SSH_CHECK -A SSH_CHECK -s *WHITELIST ADDRESSES* -j ACCEPT -A SSH_CHECK -m recent --set --name SSH --rsource -A SSH_CHECK -m recent -j LOG --log-prefix "SSH Drop " / --update --seconds 60 --hitcount 4 --name SSH --rsource -A SSH_CHECK -m recent -j DROP --update --seconds 60 --hitcount / 4 --name SSH --rsource -A SSH_CHECK -j ACCEPT _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos --------------------------------- Looking for the perfect gift? Give the gift of Flickr! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.centos.org/pipermail/centos/attachments/20090226/088032fc/attachment.html
chloe K wrote:> Thank you > > Can I know how to define the "SSH_CHECK" > and white list? > > I only know to use iptables -A > > Thank you >Hello, When you''re entering the rules from the CLI, the first time you reference a chain, you need to use -N (for "new") instead of -A (for "append"). So, using my example.... #iptables -N SSH_CHECK -s *WHITELIST ADDRESSES* -j ACCEPT #iptables -A SSH_CHECK -m recent --set --name SSH --rsource and so on. I use the first line of the SSH_CHECK chain to keep from accidentally locking myself out of my server. If, for instance, I have control and trust over a particular IP address or subnet, I can use the first line to explude them from being rate-limited... #iptables -N SSH_CHECK -s 127.219.24.149 -j ACCEPT or #iptables -N SSH_CHECK -s 127.247.67.0/24 -j ACCEPT (ip addresses changed to protect the innocent) I think that''ll do you, Andy
Chloe K wrote on Thu, 26 Feb 2009 13:45:55 -0500 (EST):> Can I know how to define the "SSH_CHECK" > and white list?There are numerous tutorials out there how to use ratelimiting. Just google. Kai -- Kai Sch?tzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
chloe K wrote:> Hi all > > ks there iptables rules to limit attack? > > Thank you >There are examples using the recent and limit modules on the Wiki (Securing SSH page): http://wiki.centos.org/HowTos/Network/SecuringSSH#head-a296ec93e31637aa349538be07b37f67d836688a It should be easy to adapt these as required.
Kai Schaetzl ?????:> There are numerous tutorials out there how to use ratelimiting. Just > google. > > Kai > >Does anyone know how to implement some functional provided by patch-o-matic without patching the kernel ? centos5.2 box # iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 15 -j REJECT iptables: Unknown error 4294967295 The idea is to limit established connections for every unique ip. This very helpful on the high-loaded web servers. May be some alternatives ?