Re: [Fedora] Re: Blocking SSH ... BUT...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2007-09-19 at 02:22 +0300, kalinix wrote:
> On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote:
> > Ashley M. Kirchner wrote:
> > > Mike Wright wrote:
> > > 
> > >> Allow your subnets before the above rules.  Here's a sample rule:
> > >>
> > >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
> > >> # subnet    ^^^^^^^^^^^
> > >>
> > >> You'd need one rule for each subnet.
> > >>
> > >> hth
> > > 
> > > 
> > >    Awesome Mike, that worked like a charm.  Thanks!
> > 
> > Very welcome.
> > > 
> > >    Somewhat related question: would the same rules work for ftp attacks 
> > > as well?  Obviously replacing the port number with 21, but would they 
> > > work?  Duplicate the lines, replace port and hope that ftp also gets 
> > > curbed the same way?
> > > 
> > 
> > I think so.  I know that there are connection tracking issues with ftp 
> > but I don't think that applies here.  Each connection starts with an 
> > initial NEW packet.

The initial control session is easy to monitor using the same kind of
ruleset used for port 22, but specifying port 21:

-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --set
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j LOG --log-prefix "FTP REJECT: "
-A INPUT -p tcp --syn --dport 21 -m recent --name ftpattack --rcheck
--seconds 120 --hitcount 2 -j REJECT --reject-with tcp-reset

If the attacker can't get a control connection, s/he can't get a data
connection.

Now, if you want to firewall your FTP data connections, you need to use
connection tracking:

# These rules allow active FTP sessions...
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# These rules allow passive FTP sessions...
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED
-j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc.                http://www.internap.com -
-                                                                    -
- If at first you don't succeed, quit. No sense being a damned fool! -
----------------------------------------------------------------------


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux