Re: Apache vulnerability?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/1/2011 5:42 PM, Alex wrote:
> Hi,
>
>> Thanks. If you bear with a couple "hopefully-not-too-naive" questions ...
>>
>> I seems to me that you are saying the actions you wish to stop are from
>> "s<offending_ip>" using "-p tcp" ... why the need to specify the
>> destination of "-d<my_ip>" (since if this iptables rule is called, it
>> must have reached me regardless of my_ip) and "--dport 80" (would there
>> be any destination port that I would allow such action from this
>> offending_ip to occur on?).
> Yes, that's correct. You don't need to include the destination if you
> only have one IP address on that host.
>
>> I am seeing in the default F14 iptables:
>>
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
>>
>> This looks to me like tcp on dport 22 is allowed and there I would think
>> that the minimal change would be to insert a rule before this which says
>> "anything from offending_ip via tcp should be rejected".
>>
>> I'm still trying to get comfortable with iptables and, even though there
>> is alot of stuff out there, I'm still working to get the necessary
>> critical mass of understanding so it all falls into place. This thread
>> looked like a good chance to see if I'm closer to understanding.
> Yes, that's a good approach too. If you are editing the existing
> iptables config script from /etc/sysconfig/iptables, then that's
> exactly what you would do. Something like this should work:
>
> # Firewall configuration written by system-config-firewall
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p icmp -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j DROP -s
> <offending_ip/range>
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
>
> the "<offending_ip/range>" might be something like 1.2.3.0/24 to block
> the entire 256 addresses on that network.
>
> HTH,
> Alex

Alex:

Thanks ... it does help to get a confirm that my understanding your 
example is at least in the general right direction.

Just to check to make sure I got the last bit of info right ...

In your particular example of what appears to be China Telecom, are you 
assuming that they are using the ip 1.2.3.0/24 and that translates to 
1.2.3.[0-255]?

I have a LAN which assumes router connecting to outside world is 
192.168.1.1 and my network is 192.168.2.* (wireless only engaged when 
necessary for both 192.168.1.1 and one Linksys at 192.168.2.2). To me, 
this means that I "only have one IP address on that host" per your 
email. If I am correct, I don't need to worry about a generalized 
192.168.2.0/24 rule on each machine to prevent something I don't know about.

The addition of 25, 80, and 443 ports are your suggestions for what to 
allow as opposed to manditories (everything is working nicely on my 
system with the default and the only other port access I need to do is 
in sendmail.mc).

Thanks,
Paul
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux