I am revisiting the thread "shorewall friendly way of limiting ssh brute force attacks?": http://lists.shorewall.net/pipermail/shorewall-users/2005-February/017249.html I am wondering if this is still the preferred method for limiting Bruce Force attacks. I would like to temporarily disable FTP attempts for users/bots that are attempting bruce force attacks. In the article your rule contains level and tag parameters. What do those parameters mean? Thanks for you help! Scott ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Scott Ruckh wrote:> I am revisiting the thread "shorewall friendly way of limiting ssh brute > force attacks?": > > http://lists.shorewall.net/pipermail/shorewall-users/2005-February/017249.html > > I am wondering if this is still the preferred method for limiting Bruce > Force attacks. > > I would like to temporarily disable FTP attempts for users/bots that are > attempting bruce force attacks. > > In the article your rule contains level and tag parameters. What do those > parameters mean? >Please read http://www.shorewall.net/PortKnocking.html#id2450982 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
This is what you said Tom Eastep> Scott Ruckh wrote: >> I am revisiting the thread "shorewall friendly way of limiting ssh brute >> force attacks?": >> >> http://lists.shorewall.net/pipermail/shorewall-users/2005-February/017249.html >> >> I am wondering if this is still the preferred method for limiting Bruce >> Force attacks. >> >> I would like to temporarily disable FTP attempts for users/bots that are >> attempting bruce force attacks. >> >> In the article your rule contains level and tag parameters. What do >> those >> parameters mean? >> > > Please read http://www.shorewall.net/PortKnocking.html#id2450982 >Is there a typo on this page (Item #3 What are shorewall actions?). http://www.shorewall.net/Actions.html Should it read: User-defined Actions. These actions are created by end-users. They are listed in the file /etc/shorewall/actions and are defined in action.* files in /etc/shorewall or in another directory listed in your CONFIG_PATH (defined in /etc/shorewall/shorewall.conf). Thanks Scott ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Scott Ruckh escribió:> Is there a typo on this page (Item #3 What are shorewall actions?). > > http://www.shorewall.net/Actions.html > > Should it read: > > User-defined Actions. These actions are created by end-users. They are > listed in the file /etc/shorewall/actions and are defined in action.* > files in /etc/shorewall or in another directory listed in your CONFIG_PATH > (defined in /etc/shorewall/shorewall.conf).fixed in SVN. ;-) http://cia.navi.cx/stats/project/shorewall/.message/28651 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
also minute is spelled wrong (munute) on the "Port Knocking and Other Uses of ''Recent Match''" page Jim ---------- Original Message ----------- From: "Scott Ruckh" <sruckh@gemneye.org> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Cc: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Thu, 10 Aug 2006 22:18:59 -0700 (MST) Subject: Re: [Shorewall-users] Limiting Bruce Force Attacks.> This is what you said Tom Eastep > > Scott Ruckh wrote: > >> I am revisiting the thread "shorewall friendly way of limiting ssh brute > >> force attacks?": > >> > >> http://lists.shorewall.net/pipermail/shorewall-users/2005-February/017249.html > >> > >> I am wondering if this is still the preferred method for limiting Bruce > >> Force attacks. > >> > >> I would like to temporarily disable FTP attempts for users/bots that are > >> attempting bruce force attacks. > >> > >> In the article your rule contains level and tag parameters. What do > >> those > >> parameters mean? > >> > > > > Please read http://www.shorewall.net/PortKnocking.html#id2450982 > > > > Is there a typo on this page (Item #3 What are shorewall actions?). > > http://www.shorewall.net/Actions.html > > Should it read: > > User-defined Actions. These actions are created by end-users. They are > listed in the file /etc/shorewall/actions and are defined in action.* > files in /etc/shorewall or in another directory listed in your CONFIG_PATH > (defined in /etc/shorewall/shorewall.conf). > > Thanks > Scott > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------- End of Original Message ------- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
This is what you said Tom Eastep> Scott Ruckh wrote: >> I am revisiting the thread "shorewall friendly way of limiting ssh brute >> force attacks?": >> >> http://lists.shorewall.net/pipermail/shorewall-users/2005-February/017249.html >> >> I am wondering if this is still the preferred method for limiting Bruce >> Force attacks. >> >> I would like to temporarily disable FTP attempts for users/bots that are >> attempting bruce force attacks. >> >> In the article your rule contains level and tag parameters. What do >> those >> parameters mean? >> > > Please read http://www.shorewall.net/PortKnocking.html#id2450982 > > -Tom > --Apparently I am not hooked on phonics. I created action.LIMIT file in /etc/shorewall. The contents of action.LIMIT contained the code from your example (cut and paste). I added the word LIMIT to the /etc/shorewall/actions file. In the /etc/shorewall/rules file are the following two rules for FTP. # forward FTP traffic to the FTP server FTP/DNAT- inet loc:x.x.x.x # slow down Brute Force attacks. Limit the number # of connections per minute from same src IP. LIMIT:ULOG:FTPBFA,4,60 inet loc:x.x.x.x tcp 21 - $ETH2_IP Is this the correct thing to do, at least logically? Can I use the $ETH2_IP (IP address of internet connection) variable which was set in the /etc/shorewall/init file? Is the action, case sensitive (Did I need to use the keyword Limit)? I used to have the single DNAT rule (without the minus) and of course it worked fine. Apparently the ACCEPT rule from LIMIT is not working because FTP connection is impossible with the above configuration. Am I just not understanding the documentation? I am using shorewall 3.2.1, if that makes a difference. Thanks for your help. Scott ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Fri, 2006-08-11 at 09:28 -0700, Scott Ruckh wrote:> > I created action.LIMIT file in /etc/shorewall. The contents of > action.LIMIT contained the code from your example (cut and paste). I > added the word LIMIT to the /etc/shorewall/actions file. > > In the /etc/shorewall/rules file are the following two rules for FTP. > > # forward FTP traffic to the FTP server > FTP/DNAT- inet loc:x.x.x.x > > # slow down Brute Force attacks. Limit the number > # of connections per minute from same src IP. > LIMIT:ULOG:FTPBFA,4,60 inet loc:x.x.x.x tcp 21 - $ETH2_IP > > Is this the correct thing to do, at least logically? Can I use the > $ETH2_IP (IP address of internet connection) variable which was set in the > /etc/shorewall/init file? Is the action, case sensitive (Did I need to > use the keyword Limit)? > > I used to have the single DNAT rule (without the minus) and of course it > worked fine. Apparently the ACCEPT rule from LIMIT is not working because > FTP connection is impossible with the above configuration. > > Am I just not understanding the documentation?You''re certainly not reading all of it. The article goes on to say that ''Limit'' (capitalization must be exact) has been a standard feature of Shorewall since version 3.0.4. So you *don''t* need: a) /etc/shorewall/LIMIT b) Empty file /etc/shorewall/action.LIMIT c) A LIMIT entry in /etc/shorewall/actions.> I am using shorewall > 3.2.1, if that makes a difference.You can use ''Limit'' with DNAT as follows: a) Change your existing DNAT rule to a DNAT- rule. That will rewrite the destination IP address but it won''t generate an automatic ACCEPT rule for the transformed packet. b) Add this rule: Limit:ULOG:FTPBFA,4,60 inet loc:x.x.x.x tcp 21 - $ETH2_IP -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
This is what you said Tom Eastep> On Fri, 2006-08-11 at 09:28 -0700, Scott Ruckh wrote: > >> >> I created action.LIMIT file in /etc/shorewall. The contents of >> action.LIMIT contained the code from your example (cut and paste). I >> added the word LIMIT to the /etc/shorewall/actions file. >> >> In the /etc/shorewall/rules file are the following two rules for FTP. >> >> # forward FTP traffic to the FTP server >> FTP/DNAT- inet loc:x.x.x.x >> >> # slow down Brute Force attacks. Limit the number >> # of connections per minute from same src IP. >> LIMIT:ULOG:FTPBFA,4,60 inet loc:x.x.x.x tcp 21 - $ETH2_IP >> >> Is this the correct thing to do, at least logically? Can I use the >> $ETH2_IP (IP address of internet connection) variable which was set in >> the >> /etc/shorewall/init file? Is the action, case sensitive (Did I need to >> use the keyword Limit)? >> >> I used to have the single DNAT rule (without the minus) and of course it >> worked fine. Apparently the ACCEPT rule from LIMIT is not working >> because >> FTP connection is impossible with the above configuration. >> >> Am I just not understanding the documentation? > > You''re certainly not reading all of it. The article goes on to say that > ''Limit'' (capitalization must be exact) has been a standard feature of > Shorewall since version 3.0.4. So you *don''t* need: > > a) /etc/shorewall/LIMIT > b) Empty file /etc/shorewall/action.LIMIT > c) A LIMIT entry in /etc/shorewall/actions. >I kind of got confused in that section. I think I was reading into it too deeply.>> I am using shorewall >> 3.2.1, if that makes a difference. > > You can use ''Limit'' with DNAT as follows: > > a) Change your existing DNAT rule to a DNAT- rule. That will rewrite the > destination IP address but it won''t generate an automatic ACCEPT rule > for the transformed packet. > > b) Add this rule: > > Limit:ULOG:FTPBFA,4,60 inet loc:x.x.x.x tcp 21 - $ETH2_IPYep, works as documented. Great product, and your relentless support to this list is appreciated. Thank You. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jim Buttafuoco escribió:> also minute is spelled wrong (munute) on the "Port Knocking and Other Uses of ''Recent Match''" page > Jim > >fixed in SVN, thanks http://cia.navi.cx/stats/project/shorewall/.message/28aca ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642