* ssh overflow blacklisting not working properly @ 2010-03-29 7:31 J. Bakshi 2010-03-29 8:18 ` Richard Horton 0 siblings, 1 reply; 11+ messages in thread From: J. Bakshi @ 2010-03-29 7:31 UTC (permalink / raw) To: netfilter Dear list, Could some one please help me to identify the problem in my ssh overflow blacklisting rule sets ? I already have these rule sets to prevent ssh overflow. Please note my firewall is default DROP policy. #---------------- ssh incoming----------------# # NB: Block the overflow ip for 3 min # max 3 connection per min per ip iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m hashlimit \ --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \ --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT #----------------------------------------# As expected connection attempt more than 3 in a min is dropped and ensure only 3 connection per minute. But It should also block the source IP for 3 min and this part is not working here. Could any one kindly suggest any clue or reason behind this ? Thanks -- জয়দীপ বক্সী ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 7:31 ssh overflow blacklisting not working properly J. Bakshi @ 2010-03-29 8:18 ` Richard Horton 2010-03-29 10:51 ` J. Bakshi 0 siblings, 1 reply; 11+ messages in thread From: Richard Horton @ 2010-03-29 8:18 UTC (permalink / raw) To: J. Bakshi; +Cc: netfilter On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote: > > iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m > hashlimit \ > --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \ > --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT > > #----------------------------------------# > > As expected connection attempt more than 3 in a min is dropped and > ensure only 3 connection per minute. But It should also block the source > IP for 3 min and this part is not working here. Could any one kindly > suggest any clue or reason behind this ? Unless you have other rules floating around all the rule does is allow upto 3 connections per minute to ssh based on source-ip. It won't block other connections from that source ip, just the ssh ones which exceed your defined limit (3/min). I'd guess from your comments there are additional rules, without seeing them though very hard to work out what is wrong as all I can say is that rule does its job... blocking ssh > 3 connection attempts per min per soucre ip. R. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 8:18 ` Richard Horton @ 2010-03-29 10:51 ` J. Bakshi 2010-03-29 11:05 ` Jan Engelhardt 0 siblings, 1 reply; 11+ messages in thread From: J. Bakshi @ 2010-03-29 10:51 UTC (permalink / raw) To: Richard Horton; +Cc: netfilter On 03/29/2010 01:48 PM, Richard Horton wrote: > On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote: > >> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m >> hashlimit \ >> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \ >> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT >> >> #----------------------------------------# >> >> As expected connection attempt more than 3 in a min is dropped and >> ensure only 3 connection per minute. But It should also block the source >> IP for 3 min and this part is not working here. Could any one kindly >> suggest any clue or reason behind this ? >> > > Unless you have other rules floating around all the rule does is allow > upto 3 connections per minute to ssh based on source-ip. It won't > block other connections from that source ip, just the ssh ones which > exceed your defined limit (3/min). > > I'd guess from your comments there are additional rules, without > seeing them though very hard to work out what is wrong as all I can > say is that rule does its job... blocking ssh > 3 connection attempts > per min per soucre ip. > > Thanks for your attention. Yes, I have already mentioned that it does the overflow restriction i.e. 3 connection/per min/per src ip But additionally it should block that ip for 3 min as ``````````` --hashlimit-htable-expire 180000 ``````````` Unfortunately it is not doing that. -- জয়দীপ বক্সী ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 10:51 ` J. Bakshi @ 2010-03-29 11:05 ` Jan Engelhardt 2010-03-29 11:22 ` J. Bakshi 2010-03-29 11:22 ` J. Bakshi 0 siblings, 2 replies; 11+ messages in thread From: Jan Engelhardt @ 2010-03-29 11:05 UTC (permalink / raw) To: J. Bakshi; +Cc: Richard Horton, netfilter On Monday 2010-03-29 12:51, J. Bakshi wrote: >On 03/29/2010 01:48 PM, Richard Horton wrote: >> On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote: >> >>> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m >>> hashlimit \ >>> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \ >>> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT >>> >>> #----------------------------------------# >>> >>> As expected connection attempt more than 3 in a min is dropped and >>> ensure only 3 connection per minute. But It should also block the source >>> IP for 3 min and this part is not working here. It should not block it, it's not part of the definition of the S-TBF (or any other) limiter. You have to use -m recent as a list to store entries once they have gone over their limit. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 11:05 ` Jan Engelhardt @ 2010-03-29 11:22 ` J. Bakshi 2010-03-29 11:22 ` J. Bakshi 1 sibling, 0 replies; 11+ messages in thread From: J. Bakshi @ 2010-03-29 11:22 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Richard Horton, netfilter On 03/29/2010 04:35 PM, Jan Engelhardt wrote: > On Monday 2010-03-29 12:51, J. Bakshi wrote: > >> On 03/29/2010 01:48 PM, Richard Horton wrote: >> >>> On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote: >>> >>> >>>> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m >>>> hashlimit \ >>>> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \ >>>> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT >>>> >>>> #----------------------------------------# >>>> >>>> As expected connection attempt more than 3 in a min is dropped and >>>> ensure only 3 connection per minute. But It should also block the source >>>> IP for 3 min and this part is not working here. >>>> > It should not block it, it's not part of the definition of the > S-TBF (or any other) limiter. You have to use -m recent as a list > to store entries once they have gone over their limit. > > Could you kindly enlighten me in that direcxtion with possibly little examples. thanks -- জয়দীপ বক্সী ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 11:05 ` Jan Engelhardt 2010-03-29 11:22 ` J. Bakshi @ 2010-03-29 11:22 ` J. Bakshi 2010-03-29 11:54 ` Richard Horton 1 sibling, 1 reply; 11+ messages in thread From: J. Bakshi @ 2010-03-29 11:22 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Richard Horton, netfilter On 03/29/2010 04:35 PM, Jan Engelhardt wrote: > On Monday 2010-03-29 12:51, J. Bakshi wrote: > >> On 03/29/2010 01:48 PM, Richard Horton wrote: >> >>> On 29 March 2010 08:31, J. Bakshi <joydeep@infoservices.in> wrote: >>> >>> >>>> iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m >>>> hashlimit \ >>>> --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \ >>>> --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT >>>> >>>> #----------------------------------------# >>>> >>>> As expected connection attempt more than 3 in a min is dropped and >>>> ensure only 3 connection per minute. But It should also block the source >>>> IP for 3 min and this part is not working here. >>>> > It should not block it, it's not part of the definition of the > S-TBF (or any other) limiter. You have to use -m recent as a list > to store entries once they have gone over their limit. > > Could you kindly enlighten me in that direction with possibly little examples. thanks -- জয়দীপ বক্সী ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 11:22 ` J. Bakshi @ 2010-03-29 11:54 ` Richard Horton 2010-03-29 15:10 ` J. Bakshi 2010-03-30 7:42 ` J. Bakshi 0 siblings, 2 replies; 11+ messages in thread From: Richard Horton @ 2010-03-29 11:54 UTC (permalink / raw) To: J. Bakshi; +Cc: Jan Engelhardt, netfilter > Could you kindly enlighten me in that direction with possibly little > examples. > # Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010 *filter :INPUT ACCEPT [1:68] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:68] -A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst 1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j MARK --set-xmark 0x1/0xffffffff -A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j DROP -A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT --rsource -j DROP COMMIT # Completed on Mon Mar 29 12:04:05 2010 Should do what you're looking for... Rule 1: Check the hashlimit and if more than 3/min then mark the packets. Rule 2: Check the recent table to see if the address is in it and has been seen in the last 10 mins and drop if it has Rule 3: If the packet has been marked by rule 1 (actually could be combined with rule one just gets to a long line and a mess to explain) add the source address (the --set option of recent) and drop. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 11:54 ` Richard Horton @ 2010-03-29 15:10 ` J. Bakshi 2010-03-30 7:42 ` J. Bakshi 1 sibling, 0 replies; 11+ messages in thread From: J. Bakshi @ 2010-03-29 15:10 UTC (permalink / raw) To: Richard Horton; +Cc: Jan Engelhardt, netfilter On Mon, 29 Mar 2010 12:54:53 +0100 Richard Horton <arimus.uk@googlemail.com> wrote: > > Could you kindly enlighten me in that direction with possibly little > > examples. > > > > # Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010 > *filter > :INPUT ACCEPT [1:68] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1:68] > -A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst > 1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j > MARK --set-xmark 0x1/0xffffffff > -A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j > DROP -A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT > --rsource -j DROP COMMIT > # Completed on Mon Mar 29 12:04:05 2010 > > Should do what you're looking for... > > Rule 1: Check the hashlimit and if more than 3/min then mark the > packets. > > Rule 2: Check the recent table to see if the address is in it and has > been seen in the last 10 mins and drop if it has > > Rule 3: If the packet has been marked by rule 1 (actually could be > combined with rule one just gets to a long line and a mess to explain) > add the source address (the --set option of recent) and drop. many many thanks for the example and clarification. I must give it a try, though my firewall is default DROP, but I am eager to see the result. with regards ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-29 11:54 ` Richard Horton 2010-03-29 15:10 ` J. Bakshi @ 2010-03-30 7:42 ` J. Bakshi 2010-03-30 8:23 ` Richard Horton 1 sibling, 1 reply; 11+ messages in thread From: J. Bakshi @ 2010-03-30 7:42 UTC (permalink / raw) To: Richard Horton; +Cc: Jan Engelhardt, netfilter On 03/29/2010 05:24 PM, Richard Horton wrote: >> Could you kindly enlighten me in that direction with possibly little >> examples. >> >> > # Generated by iptables-save v1.4.5 on Mon Mar 29 12:04:05 2010 > *filter > :INPUT ACCEPT [1:68] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [1:68] > -A INPUT -p tcp -m hashlimit --hashlimit-above 3/min --hashlimit-burst > 1 --hashlimit-name hashlimit -m state --state NEW -m tcp --dport 22 -j > MARK --set-xmark 0x1/0xffffffff > -A INPUT -m recent --rcheck --seconds 600 --name DEFAULT --rsource -j DROP > -A INPUT -m mark --mark 0x1 -m recent --set --name DEFAULT --rsource -j DROP > COMMIT > # Completed on Mon Mar 29 12:04:05 2010 > > Should do what you're looking for... > > Rule 1: Check the hashlimit and if more than 3/min then mark the packets. > > Rule 2: Check the recent table to see if the address is in it and has > been seen in the last 10 mins and drop if it has > > Rule 3: If the packet has been marked by rule 1 (actually could be > combined with rule one just gets to a long line and a mess to explain) > add the source address (the --set option of recent) and drop. > > Unfortunately the rules are not working with default DROP iptables :-( -- জয়দীপ বক্সী ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-30 7:42 ` J. Bakshi @ 2010-03-30 8:23 ` Richard Horton 2010-03-30 8:52 ` J. Bakshi 0 siblings, 1 reply; 11+ messages in thread From: Richard Horton @ 2010-03-30 8:23 UTC (permalink / raw) To: J. Bakshi; +Cc: Jan Engelhardt, netfilter My bad... you still need a rule to accept ssh traffic... so add a fourth rule -A INPUT -p tcp --dport ssh -m state NEW -j ACCEPT and a fifth -A INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT The fourth rule accepts SSH which hasn't been dropped by the first 3 rules, the fifth just allows established sessions and related. You'll need to tighten the fourth rule as appropriate but you don't need to add the rate limiting stuff as that's delt with so just tighten allowed addresses,ports etc. (Tip: unless you've moved a service from its usual port you can use the name from /etc/services for the port number, and for the -p <protoocl> you can use the names from /etc/protocols) -- Richard Horton Users are like a virus: Each causing a thousand tiny crises until the host finally dies. http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats http://www.pbase.com/arimus - My online photogallery ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: ssh overflow blacklisting not working properly 2010-03-30 8:23 ` Richard Horton @ 2010-03-30 8:52 ` J. Bakshi 0 siblings, 0 replies; 11+ messages in thread From: J. Bakshi @ 2010-03-30 8:52 UTC (permalink / raw) To: Richard Horton; +Cc: Jan Engelhardt, netfilter On 03/30/2010 01:53 PM, Richard Horton wrote: > My bad... you still need a rule to accept ssh traffic... > > so add a fourth rule > > -A INPUT -p tcp --dport ssh -m state NEW -j ACCEPT > > and a fifth > -A INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT > > The fourth rule accepts SSH which hasn't been dropped by the first 3 > rules, the fifth just allows established sessions and related. > > You'll need to tighten the fourth rule as appropriate but you don't > need to add the rate limiting stuff as that's delt with so just > tighten allowed addresses,ports etc. > > (Tip: unless you've moved a service from its usual port you can use > the name from /etc/services for the port number, and for the -p > <protoocl> you can use the names from /etc/protocols) > > > Hello Richard, many many thanks for your help, clarification and tips, but this time with all the five rule sets it is no more possible to login through ssh any more. Hence I ahve kept my earlies one i.e. Note: I am not running ssh at default port, hence $SSH_PORT is there to define it at the begging . ``````````````````` iptables -A INPUT -p tcp -m state --state NEW --dport $SSH_PORT -m hashlimit \ --hashlimit 3/min --hashlimit-burst 1 --hashlimit-htable-expire 180000 \ --hashlimit-mode srcip --hashlimit-name sshlimit -j ACCEPT ````````````````````````` and here is the iptables-save ````````````````` # Completed on Tue Mar 30 14:06:11 2010 # Generated by iptables-save v1.4.2 on Tue Mar 30 14:06:11 2010 *filter :INPUT DROP [0:0] :FORWARD DROP [1:40] :OUTPUT DROP [2:544] :syn-flood - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP -A INPUT -i eth1 -m recent --rcheck --seconds 60 --name blacklist --rsource -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 60650 -j ACCEPT -A INPUT -s 122.160.37.80/32 -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -s 122.160.37.80/32 -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 122.176.30.116/32 -i eth1 -j DROP -A INPUT -s 10.0.0.0/8 -i eth1 -j DROP -A INPUT -s 172.16.0.0/12 -i eth1 -j DROP -A INPUT -s 192.168.0.0/16 -i eth1 -j DROP -A INPUT -s 224.0.0.0/4 -i eth1 -j DROP -A INPUT -s 240.0.0.0/5 -i eth1 -j DROP -A INPUT -d 127.0.0.0/8 -i eth1 -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "TCP Port 0 OS fingerprint: " -A INPUT -i eth1 -p udp -m udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "UDP Port 0 OS fingerprint: " -A INPUT -i eth1 -p tcp -m tcp --dport 0 -j DROP -A INPUT -i eth1 -p udp -m udp --dport 0 -j DROP -A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: " -A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-prefix "AIF:Possible DRDOS abuse: " -A INPUT -i eth1 -p tcp -m tcp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DROP -A INPUT -i eth1 -p udp -m udp ! --dport 2049 -m multiport --sports 20,21,22,23,80,110,143,443,993,995 -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS scan: " -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m recent --set --name blacklist --rsource -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-PSH scan: " -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m limit --limit 3/min -j LOG --log-prefix "Stealth XMAS-ALL scan: " -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m limit --limit 3/min -j LOG --log-prefix "Stealth FIN scan: " -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN -m recent --set --name blacklist --rsource -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/RST scan: " -A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth SYN/FIN scan?: " -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 3/min -j LOG --log-prefix "Stealth Null scan: " -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m recent --set --name blacklist --rsource -j DROP -A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth scan (UNPRIV)?: " -A INPUT -i eth1 -p tcp -m tcp --dport 1024 ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 3/min -j LOG --log-prefix "Stealth scan (PRIV)?: " -A INPUT -i eth1 -p tcp -m tcp --dport 1023 ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:PRIV connect attempt: " -A INPUT -i eth1 -p tcp -m tcp --dport 1023 -j DROP -A INPUT -i eth1 -p udp -m udp --dport 1023 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: " -A INPUT -i eth1 -p udp -m udp --dport 1023 -j DROP -A INPUT -i eth1 -p tcp -m tcp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: " -A INPUT -i eth1 -p udp -m udp --dport 1024 -m limit --limit 6/min --limit-burst 2 -j LOG --log-prefix "AIF:UNPRIV connect attempt: " -A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "Bad TCP flag(64): " -A INPUT -i eth1 -p tcp -m tcp --tcp-option 64 -j DROP -A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -m limit --limit 3/min --limit-burst 1 -j LOG --log-prefix "Bad TCP flag(128): " -A INPUT -i eth1 -p tcp -m tcp --tcp-option 128 -j DROP -A INPUT -i eth1 -p tcp -m state --state INVALID -m limit --limit 1/min --limit-burst 2 -j LOG --log-prefix "AIF:INVALID TCP: " -A INPUT -i eth1 -p udp -m state --state INVALID -m limit --limit 1/min --limit-burst 2 -j LOG --log-prefix "AIF:INVALID UDP: " -A INPUT -i eth1 -m state --state INVALID -j DROP -A INPUT -s 4.2.2.2/32 -i eth1 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s 208.67.222.222/32 -i eth1 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -s 208.67.220.220/32 -i eth1 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-name sshlimit --hashlimit-htable-expire 180000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 60021 -j ACCEPT -A INPUT -p tcp -m tcp --dport 62222:63333 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood -A INPUT -i eth1 -j syn-flood -A INPUT -i eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix "UDP-IN-Notallowed: " --log-level 7 -A INPUT -i eth1 -p udp -j DROP -A INPUT -i eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix "ICMP-IN-Notallowed: " -A INPUT -i eth1 -p icmp -j DROP -A INPUT -i eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix "TCP-IN-Notallowed: " --log-level 7 -A INPUT -i eth1 -p tcp -j DROP -A INPUT -i eth1 -m limit --limit 3/min -j LOG --log-prefix "PROTOCOL-X-IN-Notallowed: " --log-level 7 -A INPUT -i eth1 -j DROP -A FORWARD -i eth0 -j ACCEPT -A FORWARD -s 192.168.0.0/24 -i eth1 -o eth0 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o eth0 -j ACCEPT -A OUTPUT -o eth1 -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -d 4.2.2.2/32 -o eth1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 208.67.222.222/32 -o eth1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -d 208.67.220.220/32 -o eth1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT -A OUTPUT -o eth1 -p udp -m udp --sport 32769:65535 --dport 33434:33523 -m state --state NEW -j ACCEPT -A OUTPUT -d 66.35.250.209/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -d 213.133.106.107/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -d 80.237.136.138/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -d 204.174.223.204/32 -o eth1 -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -o eth1 -p udp -m limit --limit 3/min -j LOG --log-prefix "UDP-OUT-Notallowed: " --log-level 7 -A OUTPUT -o eth1 -p udp -j DROP -A OUTPUT -o eth1 -p icmp -m limit --limit 3/min -j LOG --log-prefix "ICMP-OUT-Notallowed: " -A OUTPUT -o eth1 -p icmp -j DROP -A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix "TCP-OUT-Notallowed: " --log-level 7 -A OUTPUT -o eth1 -p tcp -j DROP -A OUTPUT -o eth1 -p tcp -m limit --limit 3/min -j LOG --log-prefix "TCP-OUT-Notallowed: " --log-level 7 -A OUTPUT -o eth1 -p tcp -j DROP -A OUTPUT -o eth1 -m limit --limit 3/min -j LOG --log-prefix "PROTOCOL-X-OUT-Notallowed: " --log-level 7 -A OUTPUT -o eth1 -j DROP -A syn-flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m hashlimit --hashlimit-upto 4/sec --hashlimit-burst 4 --hashlimit-mode srcip --hashlimit-name testlimit --hashlimit-htable-expire 300000 -j RETURN -A syn-flood -m recent --set --name blacklist --rsource -j DROP COMMIT # Completed on Tue Mar 30 14:06:11 2010 -- জয়দীপ বক্সী ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2010-03-30 8:52 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2010-03-29 7:31 ssh overflow blacklisting not working properly J. Bakshi 2010-03-29 8:18 ` Richard Horton 2010-03-29 10:51 ` J. Bakshi 2010-03-29 11:05 ` Jan Engelhardt 2010-03-29 11:22 ` J. Bakshi 2010-03-29 11:22 ` J. Bakshi 2010-03-29 11:54 ` Richard Horton 2010-03-29 15:10 ` J. Bakshi 2010-03-30 7:42 ` J. Bakshi 2010-03-30 8:23 ` Richard Horton 2010-03-30 8:52 ` J. Bakshi
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.