| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Feb 28 20:27:27 2006 From: rsradvan at unixworks.net (Bob Radvanovsky) Subject: reduction of brute force log Yeah...I didn't see that. I thought those were ports. My bad... :(( ----- Original Message ----- From: Joachim Schipper [mailto:j.schipper@...h.uu.nl] To: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] reduction of brute force log > On Tue, Feb 28, 2006 at 10:52:27AM -0600, Bob Radvanovsky wrote: > > I am going to test these rules out -- this looks REALLy good! > > But...I've got just ONE question: why on Earth would you permit > > ICMP??? > > (Outgoing) echo requests and port-unreachable responses (to UDP > packets), just to name a couple. > > Source quench and redirect are both powerful, but also more than a > little dangerous to allow. > > > And what significances are ports 50, 51, 1599, 1600 and 1601? 443 and 80 > are HTTP-S and HTTP (respectively), 123 is NTP -- I realize that, but what > are these others ports used for? > > We are talking about IP *protocols* 50 and 51, which are ESP and AH - > the IPsec protocols. > > The 1599-1601 ports are used to open/close the ssh port, as explained in > the article linked. > > This firewall configuration should work as advertised. Of course, > restricting logins to public key authentication should work, and has the > added advantage that one does not try to login from yet another > keylogger-infected Windows box. > > Joachim > > > -r > > > > *filter > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > :RH-Firewall-1-INPUT - [0:0] > > -A INPUT -j RH-Firewall-1-INPUT > > -A FORWARD -j RH-Firewall-1-INPUT > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > > -A RH-Firewall-1-INPUT -s 10.0.0.0/24 -j ACCEPT > > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m > recent --rcheck --name SSH -j ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1599 -m > recent --name SSH --remove -j DROP > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1600 -m > recent --name SSH --set -j DROP > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1601 -m > recent --name SSH --remove -j DROP > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > COMMIT > > > > > > ----- Original Message ----- > > From: Matthijs van Otterdijk [mailto:thotter@...il.com] > > To: full-disclosure@...ts.grok.org.uk > > Subject: Re: [Full-disclosure] reduction of brute force login attempts via > SSH through iptables --hashlimit > > > > > > > I haven't tried this myself, and I don't know if it is already > suggested, > > > but this should stop all the pesky scriptkiddies from filling up your > logs. > > > Might prove to be a better solution, who knows: > > > http://aplawrence.com/Security/sshloginattack.html > > > > > > Matthijs > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists