[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a260a2190602280859q666f9905mff05e3983b361e0@mail.gmail.com>
Date: Tue Feb 28 16:59:51 2006
From: thotter at gmail.com (Matthijs van Otterdijk)
Subject: reduction of brute force log
Hey, I didn't write it, I just copied a link :P. Maybe the author likes to
be pinged? Dunno what those ports are...
On 2/28/06, Bob Radvanovsky <rsradvan@...xworks.net> wrote:
>
> I am going to test these rules out -- this looks REALLy good! But...I've
> got just ONE question: why on Earth would you permit ICMP???
>
> And what significances are ports 50, 51, 1599, 1600 and 1601? 443 and 80
> are HTTP-S and HTTP (respectively), 123 is NTP -- I realize that, but what
> are these others ports used for?
>
> -r
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -s 10.0.0.0/24 -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m
> recent --rcheck --name SSH -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
> ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1599 -m
> recent --name SSH --remove -j DROP
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1600 -m
> recent --name SSH --set -j DROP
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1601 -m
> recent --name SSH --remove -j DROP
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
> ----- Original Message -----
> From: Matthijs van Otterdijk [mailto:thotter@...il.com]
> To: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] reduction of brute force login attempts via
> SSH through iptables --hashlimit
>
>
> > I haven't tried this myself, and I don't know if it is already
> suggested,
> > but this should stop all the pesky scriptkiddies from filling up your
> logs.
> > Might prove to be a better solution, who knows:
> > http://aplawrence.com/Security/sshloginattack.html
> >
> > Matthijs
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060228/635f8563/attachment.html
Powered by blists - more mailing lists