Re: iptables recent / more than one exception |
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: iptables recent / more than one exception
- From: Reindl Harald <h.reindl@xxxxxxxxxxxxx>
- Date: Fri, 04 May 2012 11:57:54 +0200
- Delivered-to: users@xxxxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <4FA3A35A.8040109@earthlink.net>
- Openpgp: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
- Organization: the lounge interactive design
- Reply-to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
Am 04.05.2012 11:37, schrieb jdow:
> But, then, I note your setting with --recent is not nearly as stringent as
> mine. Any given address gets one connection per minute to ssh. That VASTLY
> slows down dictionary attacks. Yours is a significant slow down; but, not
> so much that somebody could not, as you put it, nibble around the edges to
> get in. You have slowed down such attacks, though. That is good.
>
> It would be handy if there was an iptables rule that allowed skipping the
> next rule in order if the special rule hit. Alas, I am unaware of such a
> trick potential.
my sshd has a sepearte rule
the intention of this rule is not to block
it is a rate-control against DOS attacks
since we had "Anonymous" with a distributed DOS attack last
week i can say it works damned good - after replacing a
burned down router :-)
clearly you can not stand the whole DDOS from some thousand
source IPs but it gives you enough time to filter them for
a DROP rule - without this ratecontrol you could not
operate on the machine
before the DDOS it was limited to 100 connections/ip/second
which results in "ab -c 50 -n 50000 http://host-on-machine/";
raise CPU load up to 100% for a short time, go down to 50%
and changing between this both states (sorry baout bad english)
with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly
broken from outside the own network because "apache benchmark"
thinks the host is dead after 83 connections and stops due too
many errors - well, i guess exactly that is the problem for
Nessus/OpenVAS and such software from outside now
they triggered it all time before with portscans but only
not notice
Attachment:
signature.asc
Description: OpenPGP digital signature
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Older Fedora Users]
[Fedora Announce]
[Fedora Package Announce]
[EPEL Announce]
[Fedora News]
[Fedora Cloud]
[Fedora Advisory Board]
[Fedora Education]
[Fedora Security]
[Fedora Scitech]
[Fedora Robotics]
[Fedora Maintainers]
[Fedora Infrastructure]
[Fedora Websites]
[Anaconda Devel]
[Fedora Devel Java]
[Fedora Legacy]
[Fedora Desktop]
[Fedora Fonts]
[ATA RAID]
[Fedora Marketing]
[Fedora Management Tools]
[Fedora Mentors]
[SSH]
[Find Someone Special]
[Fedora Package Review]
[Fedora R Devel]
[Fedora PHP Devel]
[Kickstart]
[Fedora Music]
[Fedora Packaging]
[Centos]
[Fedora SELinux]
[Fedora Legal]
[Fedora Kernel]
[Fedora QA]
[Fedora Triage]
[Fedora OCaml]
[Coolkey]
[Virtualization Tools]
[ET Management Tools]
[Yum Users]
[Tux]
[Yosemite News]
[Yosemite Photos]
[Linux Apps]
[Maemo Users]
[Gnome Users]
[KDE Users]
[Fedora Tools]
[Fedora Art]
[Fedora Docs]
[Maemo Users]
[Asterisk PBX]
[Fedora Sparc]
[Fedora Universal Network Connector]
[Libvirt Users]
[Fedora ARM]
