Am 05.05.2012 00:31, schrieb jdow:
>> with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly
>> broken from outside the own network because "apache benchmark"
>> thinks the host is dead after 83 connections and stops due too
>> many errors - well, i guess exactly that is the problem for
>> Nessus/OpenVAS and such software from outside now
>>
>> they triggered it all time before with portscans but only
>> not notice
>
> What happens with something like this (PDL sorta kinda)?
>
> while( 1 )
> {
> "ab -c 4 -n 50"
> Sleep( 2 )
> }
>
> I don't know nessus. I am guessing that "-n 1000" part means 1000 trials
> and it's running as fast as it can go. The idea is to test up to your
> DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
> system at its limit but not over its limit?
no idea, evenif it would not help becasue a company
only doing certified secsancs will never change them
especially if your customer is their customer....
but i found a solution!
with "--remove" you can remove the given IP from the iptables-list
before the REJECT action is triggered and this way add as much
networks / addresses you need
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth0 -s $SECURITY_SCAN -m state --state NEW -m recent --remove
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
-j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
-m limit --limit 60/h -j LOG --log-prefix "Rate-Control: "
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
