* Eric Marchionni (mailing-lists@xxxxxx) wrote: > as far as i understand this will result in a slowdowned scan. > if somehow possible i'd like to abort the scan at all. like > denying any connection from the attackers ip for about 1 minute > or so... > (i know it's dangerous if someone begins spoofing google-ip or > my dns-server-ip with a cronjob, but this would only affect the > web-server...) > > else i'll use iplimit ;-D Use iplimit with ipt_recent and you can achieve exactly that. Or just use ipt_recent if you can come up with a rule to identify the attacker w/o using iplimit. To use ipt_recent you do: # Bad guy in the list with activity less than 60 seconds ago.. iptables -A FORWARD -m recent --rcheck --seconds 60 --name badguy -j DROP # Check for bad guy, go to BADCHAIN if found.. iptables -A FORWARD -m limit --etcetc -j BADCHAIN # Bad guy detected! Add his IP to the badguy list! iptables -A BADCHAIN -m recent --set --name badguy -j DROP # Add IP to list The ipt_recent module homepage is http://snowman.net/projects/ipt_recent/ A pretty recent version (0.3.0) is also in netfilter CVS. ipt_recent 0.3.1 is out and I expect it will be in netfilter CVS soon. The primary fix in 0.3.1 is TTL handling. Stephen
Attachment:
pgp00394.pgp
Description: PGP signature
