One more bit on the use of the 'recent' match against DoS. Pascal Hambourg a écrit : > > The ruleset using the 'recent' match is based only on TCP packets with > the NEW state, i.e. the initial SYN. A single SYN packet can be easily > forged with a spoofed source address. Fail2ban is based on > authentication failures, which first requires a TCP connection to be > established with the 3-way handshake. As it involves a positive reply > from the spoofed address, this is much harder to achieve, unless the > attacker is in a special position on the network.
The 'recent' match could be used if it was possible to detect the last packet of the TCP 3-way handshake sent by the client, confirming the connection is established. Unfortunately it just looks like any other ACK packet in the stream (same TCP flags, same conntrack ctstate and ctstatus), except that it is the first ACK (without SYN). Using connection mark and packet mark, I guess it is possible to detect it : By default, packet mark and connection mark are 0 If an ACK is received in the original direction and the connection mark is 0, then set the packet mark and connection mark to 1 Translated into iptables rules : -A INPUT -p tcp --tcp-flags SYN,ACK,RST ACK -m connmark --mark 0 \ -m ctstate --ctstate ESTABLISHED --ctdir ORIGINAL -j MARK --set-mark 1 -A INPUT -p tcp -m mark --mark 1 -j CONNMARK --set-mark 1 It seems to work, but I have not tested it extensively. WARNING : --ctdir is inverted in kernels older than 2.6.39 (fix not backported in any stable/longterm release at kernel.org), so you must use REPLY instead of ORIGINAL (or negation with !) if you use such kernel. If your ruleset already use packet marks or connection marks for other purposes, you may need to apply masks to divide the marks into bitfields. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d1697f.8080...@plouf.fr.eu.org
