[Fedora] Re: Blocking SSH ... BUT...
Rick Stevens
rstevens at internap.com
Wed Sep 19 00:09:31 UTC 2007
On Wed, 2007-09-19 at 02:22 +0300, kalinix wrote:
> On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote:
> > Ashley M. Kirchner wrote:
> > > Mike Wright wrote:
> > >
> > >> Allow your subnets before the above rules. Here's a sample rule:
> > >>
> > >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
> > >> # subnet ^^^^^^^^^^^
> > >>
> > >> You'd need one rule for each subnet.
> > >>
> > >> hth
> > >
> > >
> > > Awesome Mike, that worked like a charm. Thanks!
> >
> > Very welcome.
> > >
> > > Somewhat related question: would the same rules work for ftp attacks
> > > as well? Obviously replacing the port number with 21, but would they
> > > work? Duplicate the lines, replace port and hope that ftp also gets
> > > curbed the same way?
> > >
> >
> > I think so. I know that there are connection tracking issues with ftp
> > but I don't think that applies here. Each connection starts with an
> > initial NEW packet.
The initial control session is easy to monitor using the same kind of
ruleset used for port 22, but specifying port 21:
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --set
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j LOG --log-prefix "FTP REJECT: "
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset
If the attacker can't get a control connection, s/he can't get a data
connection.
Now, if you want to firewall your FTP data connections, you need to use
connection tracking:
# These rules allow active FTP sessions...
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# These rules allow passive FTP sessions...
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED
-j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- If at first you don't succeed, quit. No sense being a damned fool! -
----------------------------------------------------------------------
More information about the fedora-list
mailing list