| bergman on 3 Feb 2012 13:22:21 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] Quick& dirty IP blocking |
In the message dated: Fri, 03 Feb 2012 15:26:53 EST, The pithy ruminations from JP Vossen on <Re: [PLUG] Quick& dirty IP blocking> were: => > Date: Fri, 3 Feb 2012 09:09:35 -0500 => > From: "Paul W. Roach III"<paul@isaroach.com> => > [SNIP!] => => => > If you have an exposed service that's vulnerable to a UDP attack, you're => > still exposed. Or if you had a vulnerability that could be triggered by => > any single packet or a stream that required no handshake or reply, TCP or => > otherwise. => Right, like the ping-of-death[1] (despite the name, it has nothing to do with ICMP). => If you are right about when it routes to the bit bucket, which you => probably are, I agree. UDP could still kill you. As could ICMP[2]...remember, it's not TCP, and it's not UDP [SNIP!] => => => > The iptables equivalent would be: => > => > iptables -A INPUT -s 192.168.192.0/24 -j DROP Careful there! That command will append the rule to the end of the iptables INPUT chain. Rules are processed in order. If there's an earlier rule in that chain that would allow the evil packets, then they will not be blocked by the later rule. For example, consider: iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.192.0/24 -j DROP With those two rules, traffic from all hosts in 192.168.192.0/24 to port 139 will be dropped, but the SSH attack will still be delivered. => => OK, I have to admit I haven't played with iptables in a long time, and => it and distros change. Having said that, are you sure? I thought there => would be some defaults you'd need to make sure you don't run afoul of. => Like a default allow a couple of things the a "deny all". So if you => don't allow all the right things before you turn it on... I've seen default iptables rules that end with an "allow all" rule--this stance must be explicitely changed when setting the firewall. Appending restrictive rules after that is pretty useless. => => Am I assuming wrong? If, on a stock Debian Lenny or Ubuntu 10.04 or => newer system it's really just that 1 line, then that is much simpler => than I recall it being. The iptables rule as it is given about looks fine--if there are no other rules, then it would really be a 1 line change to block traffic from 192.168.192.0/24. Mark [1] http://en.wikipedia.org/wiki/Ping_of_death [2] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol [SNP!] => => Thanks for the feedback, => JP => ----------------------------|:::======|------------------------------- => JP Vossen, CISSP |:::======| http://bashcookbook.com/ => My Account, My Opinions |=========| http://www.jpsdomain.org/ => ----------------------------|=========|------------------------------- => "Microsoft Tax" = the additional hardware & yearly fees for the add-on => software required to protect Windows from its own poorly designed and => implemented self, while the overhead incidentally flattens Moore's Law. => ___________________________________________________________________________ ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug