LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Limiting client connections to a port without iptables (http://www.linuxquestions.org/questions/linux-security-4/limiting-client-connections-to-a-port-without-iptables-910971/)

mlewis 10-30-2011 04:43 PM

Limiting client connections to a port without iptables
 
I have a centos server which I cannot enable iptables on yet need to prevent a certain port from being hacked.

I need to ensure the port doesn't get too many connections from the same client and/or too many connections one after another from anywhere.

Is there a tool out there which would allow me to do this or is there an iptables config example somewhere which shows how I can allow everything but limit access to one port such as above.

Thanks.

acal3000 10-30-2011 08:27 PM

Snort / Firestarter

mlewis 10-30-2011 09:03 PM

Quote:

Originally Posted by acal3000 (Post 4512155)
Snort / Firestarter

Snort I believe might be overkill and firestarter I think is for a system with gnome on it.

unSpawn 10-31-2011 12:55 AM

Quote:

Originally Posted by mlewis (Post 4512066)
I have a centos server which I cannot enable iptables on yet

If the machine is connected to any network it should already have been hardened. If it isn't then you shouldn't run (publicly accessible) services on it yet. What are your reasons why you think you can't?


Quote:

Originally Posted by mlewis (Post 4512066)
or is there an iptables config example somewhere which shows how I can allow everything but limit access to one port such as above.

Sure. Search this forum for "iptables limit" and it'll show you a few (also notice the "Similar Threads" box at the bottom of this page). If this is your first server, if you don't have any Linux or firewall knowledge just say so.

mlewis 10-31-2011 01:13 AM

>If the machine is connected to any network it should already have been hardened.
>If it isn't then you shouldn't run (publicly accessible) services on it yet.
>What are your reasons why you think you can't?

VoIP systems usually have their iptables and selinux functions disabled. I of course have firewalls where public access comes into the network. Usually, I can get everything done at the firewall level but in this case, I need to have something on the server itself.

>Sure. Search this forum for "iptables limit" and it'll show you a few (also
>notice the "Similar Threads" box at the bottom of this page).
>If this is your first server, if you don't have any Linux or firewall knowledge just say so.

Nope, not my first server, I have a network full of them :). I use iptables on all servers but the setups are usually pretty straight forward. I simply have never had the opportunity to learn iptables fully since I mainly use the firewalls to do what I need. Learning it isn't something I have time for at the moment which is why I asked the community.

So, if you can actually provide something other than 'go search', that would be great.

fukawi1 10-31-2011 01:41 AM

Quote:

Originally Posted by mlewis (Post 4512259)
So, if you can actually provide something other than 'go search', that would be great.

Going and searching, will find you the answer you are looking for. First 3 google results spell it out.
unSpawn even told you what to search for..

As an additional note, using [QUOTE] tags, is far easier to read, and implement, than that whole ">" thing you have going on...

mlewis 10-31-2011 06:01 AM

>Going and searching, will find you the answer you are looking for.
>First 3 google results spell it out. unSpawn even told you what to search for..

Sigh, forums are becoming as useless as their members are. How useless it is to constantly read 'go search'. Not much of a community effort.

As I already told you, I am completely unfamiliar with iptables other than adding/removing ports and other very basic functions on servers I like to add a little extra protection to. Yes, I have read about iptables limit function, yup, I get that it does what I'm after, thanks for the lead.

However, not knowing a damn thing about iptables is not going to help me to understand how I can use it to limit one or two ports while not blocking anything else. Of course I've searched for that and of course I've tried it for myself. There simply isn't enough time in a day to survive and take on learning everything about iptables to do this safely which is why I asked the community.

If all you can tell me is to go search, why the hell do you guys keep replying to my posts? Does it give you a bigger head? Great, happy that I've inflated your already large egos. You don't need to reply to me and tell me how you give of your time and that I don't deserve to be given the answers unless I go look for myself. I have explained my situation, you can go away if you can't help me, I don't need education in posting, I need help from someone who actually cares to give a guy a hand.

You don't HAVE to make other people's questions your place for debate, just move on and let someone who actually cares to help someone find the question instead of this nonsense.

Noway2 10-31-2011 08:29 AM

From: http://www.debian-administration.org/articles/187 Found by google search "iptables limit"

Quote:

An example is probably the simplest way to illustrate how it works. The following two rules will limit incoming connections to port 22 to no more than 3 attemps in a minute - an more than that will be dropped:
Code:

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 4 -j DROP


The answer took less time to find via search than your last diatribe took to write. Your last post has also been reported as it violates several of the LQ rules.

Edit: On a personal note, you will get a lot farther in this forum if you avoid trying to make demands. If you want to make demands, try paying for support. Even with the above example, which given the lack of implementation detail you have provided, you will STILL need to read and understand how to apply the filter.

mlewis 10-31-2011 08:49 AM

Quote:

Originally Posted by Noway2 (Post 4512449)
From: http://www.debian-administration.org/articles/187 Found by google search "iptables limit"



The answer took less time to find via search than your last diatribe took to write. Your last post has also been reported as it violates several of the LQ rules.

Edit: On a personal note, you will get a lot farther in this forum if you avoid trying to make demands. If you want to make demands, try paying for support. Even with the above example, which given the lack of implementation detail you have provided, you will STILL need to read and understand how to apply the filter.

Get real, I'm not making any demands other than for the inflated ego's to leave people alone if all they have to say is what you've just said above. Re-read the thread before you jump into the fun, you're doing the same thing I'm complaining about.

Your example by the way, doesn't tell me anything about what I asked. I already know how to use the limit option of iptables, why don't you read the thread if you're doing to bother taking the time to flame me. The implementation HAS been explained. You're just having fun at my expense.

Rules, my god, grow up. Boot me off if I'm breaking a rule by asking people to stop being such babies. There is too much of this sort of nonsense in the forums these days.

allend 10-31-2011 09:07 AM

Squeaky wheels get the oil?

Care to explain why Noway2's response does not meet the requirement in post #1?

mlewis 10-31-2011 09:19 AM

Quote:

Originally Posted by allend (Post 4512474)
Squeaky wheels get the oil?

Care to explain why Noway2's response does not meet the requirement in post #1?

As I said before, that particular server is a voip server which is not running iptables.
It's not like I can just add a rule because there is no iptables running on the server.

Plus, the setup would have to be a complete one which encompasses the fact that I need to allow everything, all traffic, and only limit one port.

Since I don't know enough about iptables to build my own configuration, I was asking of someone in the community to please post a full configuration which would do this task. It would not only help me but I am sure it would help anyone else who will ever need something like this.

Telling me to go read isn't the answer for me because I am already overwhelmed with work and don't have the energy to take on something else at the moment which is why I asked for help. Otherwise, I would take the time to learn about iptables so that I could do this myself, which, I will certainly do once I have some time.

Right now, I have a server which is getting attacked and would like a little help from some friendly soul who understands when someone is simply asking for help and doesn't need a lesson in posting or searching.

allend 10-31-2011 09:38 AM

I fail to see why you cannot have iptables running with rules to limit a port. Noway2 shows the example for port 22. You have not specified the port you wish to limit.
Something like this should meet your needs.
Code:

#!/bin/sh
iptables -P INPUT ACCEPT
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --set

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
  --update --seconds 60 --hitcount 4 -j DROP


mlewis 10-31-2011 09:55 AM

>I fail to see why you cannot have iptables running with rules to limit a port.
>Noway2 shows the example for port 22. You have not specified the port you
>wish to limit.

Have you never run a pbs before, if you have, you'll notice that selinuz and iptables are always turned off as a default. I usually just leave it that way and use my firewall's instead to limit.

>Something like this should meet your needs.
>
Code:

#!/bin/sh
>iptables -P INPUT ACCEPT
>iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
>  --set

>iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
>  --update --seconds 60 --hitcount 4 -j DROP

[/QUOTE]

It might but what's not clear to me is the rest of it. As I have said, I don't know how to build an iptables file from scratch. An iptables file cannot contain only the above information and there's more to it than just adding one rule. I can't just use the default iptables because it is based on allowing only certain ports. Again, I want to allow all traffic, making sure I am not blocking anything, and limit the one port.

The port didn't really seem to matter much as part of the post but to be specific, it is 5060. The idea is to prevent script kiddies from hammering the system with dictionary hits trying to find accounts which don't have good passwords. I just want to limit how fast/often a connection can come from one IP to help discourage such behavior.

allend 10-31-2011 10:06 AM

Quote:

and use my firewall's instead to limit
Some new information there. How are the firewalls implemented?

Quote:

Again, I want to allow all traffic, making sure I am not blocking anything, and limit the one port.
Quote:

iptables -P INPUT ACCEPT
That rule accepts everything.
Quote:

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--set

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
Those rules do the limiting. Just change port 22 to port 5060.

Noway2 10-31-2011 10:15 AM

You have been given the answer to what you asked for. If you won't or can't read the answer and understand it, then it is your problem, not ours. If you don't have iptables and ask for iptables scripts, again it is YOUR problem, not ours. If you don't like the answers your receive, it is YOUR problem, not ours.

If you don't understand how iptables works, which is apparent from your statements that are absolutely wrong, again that is YOUR problem, not ours.


All times are GMT -5. The time now is 08:50 PM.