Re: iptables recent / more than one exception |
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: iptables recent / more than one exception
- From: Reindl Harald <h.reindl@xxxxxxxxxxxxx>
- Date: Fri, 04 May 2012 10:15:05 +0200
- Delivered-to: users@xxxxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <4FA32C90.4070000@earthlink.net>
- Openpgp: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
- Organization: the lounge interactive design
- Reply-to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
Am 04.05.2012 03:10, schrieb jdow:
> On 2012/05/03 10:57, Reindl Harald wrote:
>>
>> Am 03.05.2012 19:46, schrieb Paul W. Frields:
>>> On Thu, May 03, 2012 at 04:21:20PM +0200, Reindl Harald wrote:
>>>> iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --set
>>>> iptables -I INPUT -p tcp -i eth0 ! -s $LOCAL_NETWORK -m state --state NEW -m recent --update --seconds 1
>>>> --hitcount 75 -j REJECT --reject-with tcp-reset
>>>
>>> Even when you use comma-separated addresses (allowed when not using
>>> the '!' operator), iptables actually creates separate rules in
>>> response to the command. I believe that's what you need to do in this
>>> situation
>>
>> in theory yes
>> but practically the reject of this rule would be triggered
>>
>> a secuity auditor from a customer is whining the he no longer
>> can make security-scans
>
> Ah, wait a minute. If he cannot make security scans neither can
> anybody else. So defacto his job is finished.
this is the naive view :-)
the reality in business-to-business relationships is that
such scans are done with standard software like Nessus
and if this stops the job is not done - if you are
speaking about a big customer with a policy which requires
sec-audits yu can not say "it is done"
a real attacker does not need nessus
he plays around with params manually to find sql-injections
and so on without triggering any rate-control and maybe
even bypassing mod_security or whatever application fierwall
> For any exception you place into the rules to allow him to scan you must
> think VERY carefully what it's effects will be. You might accidentally
> open up the internal network to him leading to a false positive detection
> from his security scan.
i know this, that is the reason why i like to exclude him only
from the rate-control as also done with mod_security
Attachment:
signature.asc
Description: OpenPGP digital signature
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Older Fedora Users]
[Fedora Announce]
[Fedora Package Announce]
[EPEL Announce]
[Fedora News]
[Fedora Cloud]
[Fedora Advisory Board]
[Fedora Education]
[Fedora Security]
[Fedora Scitech]
[Fedora Robotics]
[Fedora Maintainers]
[Fedora Infrastructure]
[Fedora Websites]
[Anaconda Devel]
[Fedora Devel Java]
[Fedora Legacy]
[Fedora Desktop]
[Fedora Fonts]
[ATA RAID]
[Fedora Marketing]
[Fedora Management Tools]
[Fedora Mentors]
[SSH]
[Find Someone Special]
[Fedora Package Review]
[Fedora R Devel]
[Fedora PHP Devel]
[Kickstart]
[Fedora Music]
[Fedora Packaging]
[Centos]
[Fedora SELinux]
[Fedora Legal]
[Fedora Kernel]
[Fedora QA]
[Fedora Triage]
[Fedora OCaml]
[Coolkey]
[Virtualization Tools]
[ET Management Tools]
[Yum Users]
[Tux]
[Yosemite News]
[Yosemite Photos]
[Linux Apps]
[Maemo Users]
[Gnome Users]
[KDE Users]
[Fedora Tools]
[Fedora Art]
[Fedora Docs]
[Maemo Users]
[Asterisk PBX]
[Fedora Sparc]
[Fedora Universal Network Connector]
[Libvirt Users]
[Fedora ARM]
