iptables rules to limit attack

List overview All Threads
Download

newer

older

Is GFS for HPC?

Anyone successfully using CentOS 5...

chloe K

26 Feb 2009 26 Feb '09

4:52 p.m.

Hi all

ks there iptables rules to limit attack?

Thank you

--------------------------------- Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail

Attachments:

attachment.html (text/html — 331 bytes)

Show replies by date

Bo Lynch

26 Feb 26 Feb

4:57 p.m.

On Thu, February 26, 2009 10:52 am, chloe K wrote:

...

Hi all

ks there iptables rules to limit attack?

Thank you

Could you give a little more info? Bo Lynch

Andrew Hull

5:29 p.m.

chloe K wrote:

...

Hi all

ks there iptables rules to limit attack?

Thank you

Hi, Below is an example that I use to limit the rate of new connections to a particular port/service. You should be able to mold this to work with whatever service you would like to protect.

Add the first line to your main input chain. This will limit new connections to tcp/22 to a rate of 4/minute/uniqueIP.

Another benefit for me, is that this uses the modules that come with the CentOS stock kernel... no extra mussing to get it to work.

Andy

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 / --state NEW -j SSH_CHECK

-A SSH_CHECK -s *WHITELIST ADDRESSES* -j ACCEPT -A SSH_CHECK -m recent --set --name SSH --rsource -A SSH_CHECK -m recent -j LOG --log-prefix "SSH Drop " / --update --seconds 60 --hitcount 4 --name SSH --rsource -A SSH_CHECK -m recent -j DROP --update --seconds 60 --hitcount / 4 --name SSH --rsource -A SSH_CHECK -j ACCEPT

chloe K

7:45 p.m.

Thank you

Can I know how to define the "SSH_CHECK" and white list?

I only know to use iptables -A

Thank you

Andrew Hull list@racc2000.com wrote: chloe K wrote:

...

Hi all

ks there iptables rules to limit attack?

Thank you

Hi, Below is an example that I use to limit the rate of new connections to a particular port/service. You should be able to mold this to work with whatever service you would like to protect.

Add the first line to your main input chain. This will limit new connections to tcp/22 to a rate of 4/minute/uniqueIP.

Another benefit for me, is that this uses the modules that come with the CentOS stock kernel... no extra mussing to get it to work.

Andy

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 22 / --state NEW -j SSH_CHECK

--------------------------------- Looking for the perfect gift? Give the gift of Flickr!

Andrew Hull

8:41 p.m.

chloe K wrote:

...

Thank you

Can I know how to define the "SSH_CHECK" and white list?

I only know to use iptables -A

Thank you

Hello, When you're entering the rules from the CLI, the first time you reference a chain, you need to use -N (for "new") instead of -A (for "append").

So, using my example....

#iptables -N SSH_CHECK -s *WHITELIST ADDRESSES* -j ACCEPT #iptables -A SSH_CHECK -m recent --set --name SSH --rsource

and so on.

I use the first line of the SSH_CHECK chain to keep from accidentally locking myself out of my server.

If, for instance, I have control and trust over a particular IP address or subnet, I can use the first line to explude them from being rate-limited...

#iptables -N SSH_CHECK -s 127.219.24.149 -j ACCEPT or #iptables -N SSH_CHECK -s 127.247.67.0/24 -j ACCEPT (ip addresses changed to protect the innocent)

I think that'll do you, Andy