Re: Follow-up on Adaptive Firewalling w/Swatch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 17 Aug 2006 11:13:32 -0400, David Cary Hart wrote:

> Coincidentally, last night, at about 17:00 we suffered an intensive
> DDoS via CGI. The unique client count is now over 3,000. Fortunately I
> was running a tail at the time and noticed it pretty quickly which
> allowed me to restore order relatively quickly.
> 
> I brought up another instance of swatch on for the access_log which
> has been watching for the DoS pattern. On hits, it  passes the IP of
> the attacker to a script that adds firewall rules.
> 
> The initialization looks like:
> 
> /usr/bin/swatch --use-cpan-file-tail --config-file=/etc/swatch2.conf \ 
> --daemon --awk-field-syntax --tail-file=/var/log/httpd/access_log
> 
> The conf file looks like:
> 
> watchfor        /RegEx Pattern of Exploit/i
>         exec "/usr/local/bin/ipt-ddos $1"
> 
> 
> 

And your point is?

I'm not saying dynamic firewalls do not do their jobs. Of course
they do. 

I'm saying that you have to be careful with them, because they 
can do more than intended. 

Let alone the fact, that by inserting a firewall rule each time
someone knocks on your door, you'll end up with a mile long
firewall. Do you think that list will ever be long enough?

Otherwise, would you care to post the IP address of your host
machine (server), and the IP address of a remote client that MUST 
have legitimate access to your server? So that anybody here can
simulate an attack from your legit client to your server, and
have your beloved swatch happily ban the client (which was "framed")
for some 3 hours.

The better way is to build a minimal firewall that drops 
EVERYTHING by default, then punch holes in it ONLY for the
machines/domains that are supposed to connect to your host.
(Although even this policy is not fool proof: any of the legit
clients could be compromised).




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux