On Sun, Jun 30, 2013 at 03:15:47PM +0200, Pascal Hambourg wrote: > Redalert Commander a écrit : > > > > ---------- Forwarded message ---------- > > From: Igor Cicimov > > > >> You can block repeated attempts to log in with iptables using the > >> 'recent' module, an alternative is 'fail2ban', which monitors your > >> server logs (ssh, apache, and others) for failed login attempts and then > >> adds an iptables rule for the offending IP. > > The 'recent' match is vulnerable to source IP address spoofing and can > be abused to cause a DoS for the spoofed address. fail2ban is much less > vulnerable to such attacks. > > >> In some cases the 'limit' module for iptables might be useful, for > >> example (not really a good one): > > The limit match is even worse as it can be easily abused to cause a DoS > for all clients. > > >> iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m > >> limit --limit 1/min --limit-burst 3 -j ACCEPT > >> > >> This will only allow 1 connection attempt on an FTP server per minute, > >> with an initial burst of 3 before limiting. > > So an attacker just needs to send 3 packets per minute to block all > access for anyone to the server. Great. > > > Another option is the hashlimit module. Its based simply on the fact > > that ddos sends bursts of traffic over the connection. Example below > > for port 80 but can be applied to 22 or any othet service. > > Hashlimit won't protect against DDoS attacks or DoS attacks using source > IP address spoofing. >
IP address spoofing with TCP, what? That only works with UDP. (Hint - three way handshake for TCP). -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. Please don't CC! I'm subscribed to whatever list I just posted on. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130630155344.gh1...@uriel.asininetech.com
