LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-24-2010, 09:31 AM   #1
frater
Member
 
Registered: Jul 2008
Posts: 121

Rep: Reputation: 23
iptables recent


For bruteforce protection I have this chain:
Code:
-A bruteprotect -m recent --set --name BRUTEFORCE --rsource
-A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j RETURN
-A bruteprotect -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options
-A bruteprotect -j DROP
I can call that chain to protect my SSH-server
Code:
-A INPUT -p tcp -m tcp --dport 22 -j bruteprotect
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
I wanted to use this same procedure to protect a DNS-server from silly Apple requests like this.
The following example should not be used for this purpose!!:
Code:
-A dnsbugtest -m length ! --length 89 -j RETURN
-A dnsbugtest -m string --algo kmp --string ! "dnsbugtest" -j RETURN
-A dnsbugtest -m recent --set --name DNSBUGTEST --rsource
-A dnsbugtest -m recent ! --update --seconds 60 --hitcount 5 --name DNSBUGTEST --rsource -j RETURN
-A dnsbugtest -j LOG --log-prefix "[DROP dnsbugtest] : " --log-tcp-options --log-ip-options
-A dnsbugtest -j DROP
It does work in that it detects that exact DNS-requests (the 1st part), but after it reaches the threshold of 5 it will block that request for as long as it keeps trying, which is forever....

That may be what you want if someone tries to login to your SSH-server, but you don't want this with such kind of traffic.
After a minute I want to allow him again for another 5 requests.

I dismissed the limit rule because it doesn't keep different tables for each remote IP.
I experimented a while with rcheck / set and update but in the end I got a headache.

I am interested in a blocking method like the 1st example with the difference that it should ignore subsequent tries...
At the moment I'm not interested in info about 'dnsbugtest' itself, but may be later on.
 
Old 11-25-2010, 10:13 AM   #2
frater
Member
 
Registered: Jul 2008
Posts: 121

Original Poster
Rep: Reputation: 23
No-one has an idea how to do this?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] iptables recent match . What am I doing wrong ? bhaslinux Linux - Networking 9 09-17-2009 12:01 PM
iptables -m recent conflicting Shwick Linux - Security 2 10-20-2008 09:41 PM
[SOLVED] iptables: dissecting recent module rules anomie Linux - Security 3 03-27-2008 01:32 PM
Iptables newbie question concerning 'recent' salasi Linux - Networking 0 09-24-2007 08:07 AM
Recommend iptables -m recent settings helpmhost Linux - Networking 1 04-18-2007 02:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration