[Fedora] Re: Blocking SSH ... BUT...

Rick Stevens rstevens at internap.com
Wed Sep 19 00:09:31 UTC 2007 

On Wed, 2007-09-19 at 02:22 +0300, kalinix wrote:
> On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote:
> > Ashley M. Kirchner wrote:
> > > Mike Wright wrote:
> > > 
> > >> Allow your subnets before the above rules.  Here's a sample rule:
> > >>
> > >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
> > >> # subnet    ^^^^^^^^^^^
> > >>
> > >> You'd need one rule for each subnet.
> > >>
> > >> hth
> > > 
> > > 
> > >    Awesome Mike, that worked like a charm.  Thanks!
> > 
> > Very welcome.
> > > 
> > >    Somewhat related question: would the same rules work for ftp attacks 
> > > as well?  Obviously replacing the port number with 21, but would they 
> > > work?  Duplicate the lines, replace port and hope that ftp also gets 
> > > curbed the same way?
> > > 
> > 
> > I think so.  I know that there are connection tracking issues with ftp 
> > but I don't think that applies here.  Each connection starts with an 
> > initial NEW packet.

The initial control session is easy to monitor using the same kind of
ruleset used for port 22, but specifying port 21:

-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --set
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j LOG --log-prefix "FTP REJECT: "
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset

If the attacker can't get a control connection, s/he can't get a data
connection.

Now, if you want to firewall your FTP data connections, you need to use
connection tracking:

# These rules allow active FTP sessions...
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# These rules allow passive FTP sessions...
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED
-j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens at internap.com -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
- If at first you don't succeed, quit. No sense being a damned fool! -
----------------------------------------------------------------------

More information about the fedora-list mailing list