bergman on 3 Feb 2012 13:22:21 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Quick& dirty IP blocking


In the message dated: Fri, 03 Feb 2012 15:26:53 EST,
The pithy ruminations from JP Vossen on 
<Re: [PLUG] Quick& dirty IP blocking> were:
=> > Date: Fri, 3 Feb 2012 09:09:35 -0500
=> > From: "Paul W. Roach III"<paul@isaroach.com>
=> >

	[SNIP!]

=> 
=> 
=> > If you have an exposed service that's vulnerable to a UDP attack, you're
=> > still exposed.  Or if you had a vulnerability that could be triggered by
=> > any single packet or a stream that required no handshake or reply, TCP or
=> > otherwise.
=> 

Right, like the ping-of-death[1] (despite the name, it has nothing to do with
ICMP).

=> If you are right about when it routes to the bit bucket, which you 
=> probably are, I agree.  UDP could still kill you.

As could ICMP[2]...remember, it's not TCP, and it's not UDP

	[SNIP!]
=> 
=> 
=> > The iptables equivalent would be:
=> >
=> > iptables -A INPUT -s 192.168.192.0/24 -j DROP

Careful there! That command will append the rule to the end of the iptables
INPUT chain. Rules are processed in order. If there's an earlier rule
in that chain that would allow the evil packets, then they will not be
blocked by the later rule. For example, consider:

	iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
	iptables -A INPUT -s 192.168.192.0/24 -j DROP

With those two rules, traffic from all hosts in 192.168.192.0/24 to port
139 will be dropped, but the SSH attack will still be delivered.

=> 
=> OK, I have to admit I haven't played with iptables in a long time, and 
=> it and distros change.  Having said that, are you sure?  I thought there 
=> would be some defaults you'd need to make sure you don't run afoul of. 
=> Like a default allow a couple of things the a "deny all".  So if you 
=> don't allow all the right things before you turn it on...

I've seen default iptables rules that end with an "allow all" rule--this
stance must be explicitely changed when setting the firewall. Appending
restrictive rules after that is pretty useless.

=> 
=> Am I assuming wrong?  If, on a stock Debian Lenny or Ubuntu 10.04 or 
=> newer system it's really just that 1 line, then that is much simpler 
=> than I recall it being.

The iptables rule as it is given about looks fine--if there are no other
rules, then it would really be a 1 line change to block traffic from 
192.168.192.0/24.

Mark

	[1] http://en.wikipedia.org/wiki/Ping_of_death
	[2] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol



	[SNP!]

=> 
=> Thanks for the feedback,
=> JP
=> ----------------------------|:::======|-------------------------------
=> JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
=> My Account, My Opinions     |=========|      http://www.jpsdomain.org/
=> ----------------------------|=========|-------------------------------
=> "Microsoft Tax" = the additional hardware & yearly fees for the add-on
=> software required to protect Windows from its own poorly designed and
=> implemented self, while the overhead incidentally flattens Moore's Law.
=> ___________________________________________________________________________
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug