Re: Follow-up on Adaptive Firewalling w/Swatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 17 Aug 2006 11:13:32 -0400, David Cary Hart wrote:

> Coincidentally, last night, at about 17:00 we suffered an intensive
> DDoS via CGI. The unique client count is now over 3,000. Fortunately I
> was running a tail at the time and noticed it pretty quickly which
> allowed me to restore order relatively quickly.
> 
> I brought up another instance of swatch on for the access_log which
> has been watching for the DoS pattern. On hits, it  passes the IP of
> the attacker to a script that adds firewall rules.
> 
> The initialization looks like:
> 
> /usr/bin/swatch --use-cpan-file-tail --config-file=/etc/swatch2.conf \ 
> --daemon --awk-field-syntax --tail-file=/var/log/httpd/access_log
> 
> The conf file looks like:
> 
> watchfor        /RegEx Pattern of Exploit/i
>         exec "/usr/local/bin/ipt-ddos $1"
> 
> 
> 

And your point is?

I'm not saying dynamic firewalls do not do their jobs. Of course
they do. 

I'm saying that you have to be careful with them, because they 
can do more than intended. 

Let alone the fact, that by inserting a firewall rule each time
someone knocks on your door, you'll end up with a mile long
firewall. Do you think that list will ever be long enough?

Otherwise, would you care to post the IP address of your host
machine (server), and the IP address of a remote client that MUST 
have legitimate access to your server? So that anybody here can
simulate an attack from your legit client to your server, and
have your beloved swatch happily ban the client (which was "framed")
for some 3 hours.

The better way is to build a minimal firewall that drops 
EVERYTHING by default, then punch holes in it ONLY for the
machines/domains that are supposed to connect to your host.
(Although even this policy is not fool proof: any of the legit
clients could be compromised).



-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux