Re: [Fedora] Re: Blocking SSH ... BUT...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2007-09-19 at 02:22 +0300, kalinix wrote:
> On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote:
> > Ashley M. Kirchner wrote:
> > > Mike Wright wrote:
> > > 
> > >> Allow your subnets before the above rules.  Here's a sample rule:
> > >>
> > >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
> > >> # subnet    ^^^^^^^^^^^
> > >>
> > >> You'd need one rule for each subnet.
> > >>
> > >> hth
> > > 
> > > 
> > >    Awesome Mike, that worked like a charm.  Thanks!
> > 
> > Very welcome.
> > > 
> > >    Somewhat related question: would the same rules work for ftp attacks 
> > > as well?  Obviously replacing the port number with 21, but would they 
> > > work?  Duplicate the lines, replace port and hope that ftp also gets 
> > > curbed the same way?
> > > 
> > 
> > I think so.  I know that there are connection tracking issues with ftp 
> > but I don't think that applies here.  Each connection starts with an 
> > initial NEW packet.

The initial control session is easy to monitor using the same kind of
ruleset used for port 22, but specifying port 21:

-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --set
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j LOG --log-prefix "FTP REJECT: "
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset

If the attacker can't get a control connection, s/he can't get a data
connection.

Now, if you want to firewall your FTP data connections, you need to use
connection tracking:

# These rules allow active FTP sessions...
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# These rules allow passive FTP sessions...
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED
-j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
- If at first you don't succeed, quit. No sense being a damned fool! -
----------------------------------------------------------------------

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux