Am 05.05.2012 02:31, schrieb jdow:
>>> I don't know nessus. I am guessing that "-n 1000" part means 1000 trials
>>> and it's running as fast as it can go. The idea is to test up to your
>>> DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
>>> system at its limit but not over its limit?
>>
>> no idea, even if it would not help becasue a company
>> only doing certified secsancs will never change them
>> especially if your customer is their customer....
>>
>> but i found a solution!
>>
>> with "--remove" you can remove the given IP from the iptables-list
>> before the REJECT action is triggered and this way add as much
>> networks / addresses you need
>>
>>
>> $IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --set
>> $IPTABLES -I INPUT -p tcp -i eth0 -s $SECURITY_SCAN -m state --state NEW -m recent --remove
>> $IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
>> -j REJECT --reject-with tcp-reset
>> $IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
>> -m limit --limit 60/h -j LOG --log-prefix "Rate-Control: "
>
> As long as that does not break other iptables based protections it's a
> good enough solution. I presume you did audit the iptables setup for that
> possibility.
yes it is fine because it only affects "recent" rules with
"name: DEFAULT" and they are all on top of other rules
there are two others rejecting every connection for two seconds
after trying any port before interesting ones or typically
not public services to make portscans as hard as possible
> (As an aside the scan company should learn to adapt as more and more
> customers learn this trick and deploy it.)
i fear we are the first ones with such iptables rules and
good mod_security implementation (also had to whitelist)
they saw :-)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
05-05-2012, 11:01 AM
jdow
iptables recent / more than one exception
On 2012/05/04 23:42, Reindl Harald wrote:
Am 05.05.2012 02:31, schrieb jdow:
I don't know nessus. I am guessing that "-n 1000" part means 1000 trials
and it's running as fast as it can go. The idea is to test up to your
DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
system at its limit but not over its limit?
no idea, even if it would not help becasue a company
only doing certified secsancs will never change them
especially if your customer is their customer....
but i found a solution!
with "--remove" you can remove the given IP from the iptables-list
before the REJECT action is triggered and this way add as much
networks / addresses you need
As long as that does not break other iptables based protections it's a
good enough solution. I presume you did audit the iptables setup for that
possibility.
yes it is fine because it only affects "recent" rules with
"name: DEFAULT" and they are all on top of other rules
there are two others rejecting every connection for two seconds
after trying any port before interesting ones or typically
not public services to make portscans as hard as possible
(As an aside the scan company should learn to adapt as more and more
customers learn this trick and deploy it.)
i fear we are the first ones with such iptables rules and
good mod_security implementation (also had to whitelist)
they saw :-)
It feels REALLY good when you can stay on top of the other professionals,
right? Hopefully that also is keeping you ahead of the malicious creeps.
Congratulations.
{^_^}
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
iptables recent / more than one exception
