I'm a little confused about when to add the TARPIT trap.
iptables -N SPECIAL # add special chain for tarpit usage
*HERE*?
iptables -A SPECIAL -p tcp -j TARPIT
#
# the following string match rules screen out nimda and other crap
#
iptables -A INPUT -i eth0 -p tcp --dport 80 -m string --algo bm
--string "/default.ida?" -j SPECIAL
iptables -A INPUT -i eth0 -p tcp --dport 80 -m string --algo bm
--string ".exe?/c+dir" -j SPECIAL
iptables -A INPUT -i eth0 -p tcp --dport 80 -m string --algo bm
--string ".exe?/c+tftp" -j SPECIAL
iptables -A INPUT -i eth0 -p tcp --dport 80 -m string --algo bm
--string "cmd.exe" -j SPECIAL
iptables -A INPUT -i eth0 -p tcp --dport 80 -m string --algo bm
--string "vti_bin" -j SPECIAL
iptables -A INPUT -i eth0 -p tcp --dport 80 -m string --algo bm
--string "nsiislog.dll" -j SPECIAL
iptables -A INPUT -i eth0 -p tcp --dport 80 -m string --algo bm
--string "click-network.com" -j SPECIAL
*OR HERE?*
iptables -A SPECIAL -p tcp -j TARPIT
Im looking at all these string rules and trying to imagine how your
CPU usage will get high, as it seems you have a not-very-low traffic
network ...... nobody with a /21 network will have low traffic,
specially tcp/80 traffic !!!!
I havent used string for a while now. In fact i have never used it
since I moved to 2.6 kernel. I know it has been ported recently, but I
have never used it yet. But I remember ... it's not that long ago ......
the 2.4 kernel time ....... all the headaches of CPU usage getting at
astronomic levels because of 20-30 string rules on a busy network .....
i will never forget that ... :)
Take it easy with string module, that's my advice ....
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
