lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <53459E69.9080305@thelounge.net>
Date: Wed, 09 Apr 2014 21:24:25 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

you are opening the doors for a DOS attack with the log-rule!

iptables logging needs to be rate-limit always because how it works
otherwise you have a problem the first time it really happens seriously

 -m limit --limit 1/m

Am 09.04.2014 12:39, schrieb Fabien Bourdaire:
> We've created some iptables rules to block all heartbeat queries using
> the very powerful u32 module.
> 
> The rules allow you to mitigate systems that can't yet be patched by
> blocking ALL the heartbeat handshakes. We also like the capability to
> log external scanners ;)
> 
> The rules have been specifically created for HTTPS traffic and may be
> adapted for other protocols; SMTPS/IMAPS/...
> 
> 
> # Log rules
> iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
> "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
> 
> # Block rules
> iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
> "52=0x18030000:0x1803FFFF" -j DROP
> 
> # Wireshark rules
> $ tshark  -i interface port 443 -R 'frame[68:1] == 18'
> $ tshark  -i interface port 443 -R 'ssl.record.content_type == 24'
> 
> 
> We believe that this should only be used as a temporary fix to decrease
> the exposure window. The log rule should allow you to test the firewall
> rules before being used in production. It goes without saying that if
> you have any suggested improvements to these rules we would be grateful
> if you could share them with the security community.
> 
> Clearly, use of these rules is at your own risk :)


Download attachment "signature.asc" of type "application/pgp-signature" (247 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ