Re: iptables recent / more than one exception

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 05.05.2012 00:31, schrieb jdow:
>> with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly
>> broken from outside the own network because "apache benchmark"
>> thinks the host is dead after 83 connections and stops due too
>> many errors - well, i guess exactly that is the problem for
>> Nessus/OpenVAS and such software from outside now
>>
>> they triggered it all time before with portscans but only
>> not notice
> 
> What happens with something like this (PDL sorta kinda)?
> 
> while( 1 )
> {
>     "ab -c 4 -n 50"
>     Sleep( 2 )
> }
> 
> I don't know nessus. I am guessing that "-n 1000" part means 1000 trials
> and it's running as fast as it can go. The idea is to test up to your
> DDOS limit, wait 2 seconds, repeat. Can the test be hacked to keep your
> system at its limit but not over its limit?

no idea, evenif it would not help becasue a company
only doing certified secsancs will never change them
especially if your customer is their customer....

but i found a solution!

with "--remove" you can remove the given IP from the iptables-list
before the REJECT action is triggered and this way add as much
networks / addresses you need


$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --set
$IPTABLES -I INPUT -p tcp -i eth0 -s $SECURITY_SCAN -m state --state NEW -m recent --remove
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
-j REJECT --reject-with tcp-reset
$IPTABLES -I INPUT -p tcp -i eth0 ! -s $LAN_RANGE -m state --state NEW -m recent --update --seconds 1 --hitcount 75
-m limit --limit 60/h -j LOG --log-prefix "Rate-Control: "

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux