Re: [mod-security-users] Question about iptables
Brought to you by:
victorhora,
zimmerletw
From: Jose P. V. L. <pab...@gm...> - 2013-09-19 09:34:41
|
Thanks again Reindl :). Kind regards 2013/9/19 Reindl Harald <h.r...@th...> > i posted my iptables rules many times on several lists > > you need to adjust the variables and test it in your environment > but that is from a production infrastructure with weekly audits > > "iptables -A" may work with "iptables -I" for connlimit, wherever > i took it it was written that way and did not work, but that maybe > is caused by the way my whole wirewall rules are generated in a large > shell-script distriibuted over 20 machines with if-blocks on hostname > ___________________________________ > > there are basically *two* rule-blocks > > * max connections per 2 seconds and IP > * max active connections per IP > * the echo starts the rule-block > * any other line starts with "iptables" > * so anything wrapped in the mail not starting with echo/iptables belongs > to the previous one > > RATE_CONTROL_MAX="150" > CONNECTION_MAX="50" > echo "DOS-PROTECTION: not more than $RATE_CONTROL_MAX new connections per > two seconds and client-ip" > iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --set > iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --update --seconds 2 > --hitcount $RATE_CONTROL_MAX -j DROP > iptables -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --update --seconds 2 > --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG --log-prefix > "Firewall Rate-Control: " > iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --name udpflood --set > iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --name udpflood --update > --seconds 2 --hitcount $RATE_CONTROL_MAX -j DROP > iptables -I INPUT -p udp -i eth0 ! -s $LAN_RANGE -m conntrack --ctstate > NEW -m recent --name udpflood --update > --seconds 2 --hitcount $RATE_CONTROL_MAX -m limit --limit 100/h -j LOG > --log-prefix "Firewall Rate-Control: " > echo "DOS-PROTECTION: not more than $CONNECTION_MAX parallel connections > to port 80/443" > iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport > --destination-port 80,443 --syn -m connlimit > --connlimit-above $CONNECTION_MAX -m limit --limit 100/h -j LOG > --log-prefix "Firewall Slowloris: " > iptables -A INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m multiport > --destination-port 80,443 --syn -m connlimit > --connlimit-above $CONNECTION_MAX -j DROP > > Am 19.09.2013 10:38, schrieb Jose Pablo Valcárcel Lázaro: > > iptables v1.4.2: Unknown arg `(null)' > > Try `iptables -h' or 'iptables --help' for more information. > > > > As you see he had problems when he tried to apply those rules, so I kept > looking for some similar rules and I find > > it when I saw a prevention amplification dns attack article here: > http://blog.rootshell.ir/ > > > > Straight to iptables snippet code from that link I see these lines: > > iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string > "|0000ff0001|" --algo bm --from 48 --to 65535 > > -m recent --set --name dnsanyquery --rsource > > iptables -A INPUT -p udp -m udp --dport 53 -m string --hex-string > "|0000ff0001|" --algo bm --from 48 --to 65535 > > -m recent --rcheck --seconds 60 --hitcount 5 --name dnsanyquery > --rsource -j DROP > > > > So finally from that rules I guess some one could modify it in order to > block brute-force attacks not only with > > mod_security rules :) : > > > > I haven´t tested it but if someone in a development environment could > try and use it I would thankful to hear that > > works!! > > > > ------------------------------------------------------------------------------ > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, > SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack > includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |