[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060228142657.69f9f431@ironmail.unixworks.net>
Date: Tue Feb 28 20:27:27 2006
From: rsradvan at unixworks.net (Bob Radvanovsky)
Subject: reduction of brute force log
Yeah...I didn't see that. I thought those were ports. My bad... :((
----- Original Message -----
From: Joachim Schipper [mailto:j.schipper@...h.uu.nl]
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] reduction of brute force log
> On Tue, Feb 28, 2006 at 10:52:27AM -0600, Bob Radvanovsky wrote:
> > I am going to test these rules out -- this looks REALLy good!
> > But...I've got just ONE question: why on Earth would you permit
> > ICMP???
>
> (Outgoing) echo requests and port-unreachable responses (to UDP
> packets), just to name a couple.
>
> Source quench and redirect are both powerful, but also more than a
> little dangerous to allow.
>
> > And what significances are ports 50, 51, 1599, 1600 and 1601? 443 and 80
> are HTTP-S and HTTP (respectively), 123 is NTP -- I realize that, but what
> are these others ports used for?
>
> We are talking about IP *protocols* 50 and 51, which are ESP and AH -
> the IPsec protocols.
>
> The 1599-1601 ports are used to open/close the ssh port, as explained in
> the article linked.
>
> This firewall configuration should work as advertised. Of course,
> restricting logins to public key authentication should work, and has the
> added advantage that one does not try to login from yet another
> keylogger-infected Windows box.
>
> Joachim
>
> > -r
> >
> > *filter
> > :INPUT ACCEPT [0:0]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [0:0]
> > :RH-Firewall-1-INPUT - [0:0]
> > -A INPUT -j RH-Firewall-1-INPUT
> > -A FORWARD -j RH-Firewall-1-INPUT
> > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> > -A RH-Firewall-1-INPUT -s 10.0.0.0/24 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m
> recent --rcheck --name SSH -j ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
> ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 123 -j
> ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
> ACCEPT
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1599 -m
> recent --name SSH --remove -j DROP
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1600 -m
> recent --name SSH --set -j DROP
> > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1601 -m
> recent --name SSH --remove -j DROP
> > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> > COMMIT
> >
> >
> > ----- Original Message -----
> > From: Matthijs van Otterdijk [mailto:thotter@...il.com]
> > To: full-disclosure@...ts.grok.org.uk
> > Subject: Re: [Full-disclosure] reduction of brute force login attempts via
> SSH through iptables --hashlimit
> >
> >
> > > I haven't tried this myself, and I don't know if it is already
> suggested,
> > > but this should stop all the pesky scriptkiddies from filling up your
> logs.
> > > Might prove to be a better solution, who knows:
> > > http://aplawrence.com/Security/sshloginattack.html
> > >
> > > Matthijs
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists