lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <53465DDE.9090807@thelounge.net>
Date: Thu, 10 Apr 2014 11:01:18 +0200
From: Reindl Harald <h.reindl@...lounge.net>
To: fulldisclosure@...lists.org
Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160


Am 09.04.2014 23:33, schrieb Juergen Christoffel:
> On Wed, Apr 09, 2014 at 09:24:25PM +0200, Reindl Harald wrote:
>>
>> iptables logging needs to be rate-limit always because how it works
>> otherwise you have a problem the first time it really happens seriously
> 
> Using limits is sensible, yes. But
> 
>> -m limit --limit 1/m
> 
> this might be a bit too restrictive to gather data on attempts at
> heartbleeding. And --hashlimit might be more appropriate too as it keeps a
> counter per IP address.

agreed and thanks for the --hashlimit option, after a
large DDOS attack from more than 10000 IP addresses i
got that restrictive :-)

sadly i can't confirm that it works because testing with http://filippo.io/Heartbleed/
don't produce any log-entry and since iptables lives on the deeper layer then httpd
it should cry even on patched machines................

iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32
"52=0x18030000:0x1803FFFF" -m limit --limit 5/h -j LOG --log-level debug --log-prefix "Firewall: Heartbleed"
iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32
"52=0x18030000:0x1803FFFF" -j DROP
__________________________________________________________________________________________________________________

iptables --list --numeric --verbose

    0     0 LOG        tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            multiport dports
443,993,995 u32 "0x34=0x18030000:0x1803ffff" limit: avg 5/hour burst 5 LOG flags 0 level 7 prefix "Firewall:
Heartbleed"
    0     0 DROP       tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            multiport dports
443,993,995 u32 "0x34=0x18030000:0x1803ffff"
__________________________________________________________________________________________________________________



Download attachment "signature.asc" of type "application/pgp-signature" (247 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ