On 2012/05/04 15:42, Reindl Harald wrote:
Am 05.05.2012 00:31, schrieb jdow:
with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly
broken from outside the own network because "apache benchmark"
thinks the host is dead after 83 connections and stops due too
many errors - well, i guess exactly that is the problem for
Nessus/OpenVAS and such software from outside now
they triggered it all time before with portscans but only
not notice
What happens with something like this (PDL sorta kinda)?
while( 1 )
{
"ab -c 4 -n 50"
Sleep( 2 )
}
I don't know nessus. I am guessing that "-n 1000" part means 1000 trials
and it's running as fast as it can go. The idea is to test up to your
DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
system at its limit but not over its limit?
no idea, evenif it would not help becasue a company
only doing certified secsancs will never change them
especially if your customer is their customer....
but i found a solution!
with "--remove" you can remove the given IP from the iptables-list
before the REJECT action is triggered and this way add as much
networks / addresses you need
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth0 -s $SECURITY_SCAN -m state --state NEW -m recent --remove
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
-j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
-m limit --limit 60/h -j LOG --log-prefix "Rate-Control: "
As long as that does not break other iptables based protections it's a
good enough solution. I presume you did audit the iptables setup for that
possibility.
Good luck with it.
(As an aside the scan company should learn to adapt as more and more
customers learn this trick and deploy it.)
{^_^}
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org