[CentOS] Centos VPS Kernel 2.6.35.4 & 'string-less' IP tables

[Lamar Owen]

On Wednesday, August 31, 2011 11:15:20 AM Always Learning wrote:
> Dangerous to ignore any background noise - far better to
> firmly shut the door and fill-in all known holes. 

The unknown holes are the ones that will get you.

You are also setting yourself up for a denial-of-service vector.  Refresh yourself on the three-way TCP handshake and how HTTP is embedded in that and be enlightened (IOW, there is a connection allready set up and a listener thread connected by the time the GET HTTP directive is issued).  Also understand that IP address spoofing is fairly common... and within the reach of the most green script kiddie.

The fail2ban solution, while it is somewhat of a 'shut the barn door after the horses are out' thing, is less likely to cause a DoS.  And it will likely prevent escalation, which is what you're really after.

Plus, you'll want to see how much of a load the string matching at the IPtables level puts on your VPS; it may be enough to create a DoS vector there, too.

On today's Internet you are simply not going to catch 100% of the attacks, full stop.  You can mitigate them (SELinux is one tool in the mitigation arsenal, as is fail2ban and IPtables).  But that is all.  You will be attacked; that is axiomatic on today's Internet.