you are opening the doors for a DOS attack with the log-rule! iptables logging needs to be rate-limit always because how it works otherwise you have a problem the first time it really happens seriously
-m limit --limit 1/m Am 09.04.2014 12:39, schrieb Fabien Bourdaire: > We've created some iptables rules to block all heartbeat queries using > the very powerful u32 module. > > The rules allow you to mitigate systems that can't yet be patched by > blocking ALL the heartbeat handshakes. We also like the capability to > log external scanners ;) > > The rules have been specifically created for HTTPS traffic and may be > adapted for other protocols; SMTPS/IMAPS/... > > > # Log rules > iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ > "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT" > > # Block rules > iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ > "52=0x18030000:0x1803FFFF" -j DROP > > # Wireshark rules > $ tshark -i interface port 443 -R 'frame[68:1] == 18' > $ tshark -i interface port 443 -R 'ssl.record.content_type == 24' > > > We believe that this should only be used as a temporary fix to decrease > the exposure window. The log rule should allow you to test the firewall > rules before being used in production. It goes without saying that if > you have any suggested improvements to these rules we would be grateful > if you could share them with the security community. > > Clearly, use of these rules is at your own risk :)
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
