This one time, at band camp, Pierre Chifflier said: > fail2ban generate rules for iptables matching only the port, for ex: > -A INPUT -p tcp -m multiport --dports 22,115 -j fail2ban-ssh > > This is bad, and can result in a nice DoS for NATed users if two users > share the same IP, and one fails 3 times to login, then all > connections (including already established) are banned. > > Proposed solution: filter only SYN paquets, so that established > connexions are not affected, only new (patch attached for > iptables-multiport, same solution could be applied to other actions as > well).
As Yaroslav says, this functionality is covered by iptables-new.conf. Additionally, it's a bad idea in general. It would be trivial to open up a few hundred connections, and just keep banging away long after I'm supposedly banned. Judging by the amount of hits I get on my firewall after banning someone, this is indeed what it looks like they do now, so I recommend keeping the default. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | ----------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
