Am 08.07.2013 17:13, schrieb Michael Cronenworth: > On 07/08/2013 10:01 AM, Tim wrote: >> And I'd certainly avoid putting anything exploitable, ever, on port >> 23456. Maybe that was just a made up example by the original poster, >> but consecutive numbers like that, and other common number sequences, >> are just the sort of thing that wannabes hackers are going to type in to >> play with. > > Since there are only 65,535 ports to scan, anyone at any time can easily > scan for an open port in seconds. not on properly configured servers where you have rate-controls and additionally to the setting below you have on any of my machines rules which are catching connections on unused default ports and directly before open ones resulting in get a REJECT for the next 2 seconds on avery port with your IP have fun doing a port-scan, hence i have seen security scans on some of my machines where the report of a 3rd parity auditor said the server is a "Sony Playstation" - honestly! iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m recent --set iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m recent --update --seconds 2 --hitcount 150 -j DROP iptables -A INPUT -p tcp -m multiport --destination-port 80 --syn -m connlimit --connlimit-above 60 -j DROP
Attachment:
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
