Redalert Commander a écrit : > > ---------- Forwarded message ---------- > From: Igor Cicimov > >> You can block repeated attempts to log in with iptables using the >> 'recent' module, an alternative is 'fail2ban', which monitors your >> server logs (ssh, apache, and others) for failed login attempts and then >> adds an iptables rule for the offending IP.
The 'recent' match is vulnerable to source IP address spoofing and can be abused to cause a DoS for the spoofed address. fail2ban is much less vulnerable to such attacks. >> In some cases the 'limit' module for iptables might be useful, for >> example (not really a good one): The limit match is even worse as it can be easily abused to cause a DoS for all clients. >> iptables -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state NEW -m >> limit --limit 1/min --limit-burst 3 -j ACCEPT >> >> This will only allow 1 connection attempt on an FTP server per minute, >> with an initial burst of 3 before limiting. So an attacker just needs to send 3 packets per minute to block all access for anyone to the server. Great. > Another option is the hashlimit module. Its based simply on the fact > that ddos sends bursts of traffic over the connection. Example below > for port 80 but can be applied to 22 or any othet service. Hashlimit won't protect against DDoS attacks or DoS attacks using source IP address spoofing. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51d02f83.6080...@plouf.fr.eu.org
