Re: iptables recent / more than one exception

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 04.05.2012 03:10, schrieb jdow:
> On 2012/05/03 10:57, Reindl Harald wrote:
>>
>> Am 03.05.2012 19:46, schrieb Paul W. Frields:
>>> On Thu, May 03, 2012 at 04:21:20PM +0200, Reindl Harald wrote:
>>>> iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --set
>>>> iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --update --seconds 1
>>>> --hitcount  75 -j REJECT --reject-with tcp-reset
>>>
>>> Even when you use comma-separated addresses (allowed when not using
>>> the '!' operator), iptables actually creates separate rules in
>>> response to the command.  I believe that's what you need to do in this
>>> situation
>>
>> in theory yes
>> but practically the reject of this rule would be triggered
>>
>> a secuity auditor from a customer is whining the he no longer
>> can make security-scans 
> 
> Ah, wait a minute. If he cannot make security scans neither can
> anybody else. So defacto his job is finished.

this is the naive view :-)

the reality in business-to-business relationships is that
such scans are done with standard software like Nessus
and if this stops the job is not done - if you are
speaking about a big customer with a policy which requires
sec-audits yu can not say "it is done"

a real attacker does not need nessus

he plays around with params manually to find sql-injections
and so on without triggering any rate-control and maybe
even bypassing mod_security or whatever application fierwall

> For any exception you place into the rules to allow him to scan you must
> think VERY carefully what it's effects will be. You might accidentally
> open up the internal network to him leading to a false positive detection
> from his security scan.

i know this, that is the reason why i like to exclude him only
from the rate-control as also done with mod_security

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux