From: Timur Batyrshin <batyrshin@ieml.ru>
To: sysadmins@lists.altlinux.org
Subject: Re: [Sysadmins] IDS lists
Date: Thu, 18 Oct 2007 10:46:43 +0400
Message-ID: <20071018104643.7f788fc1@batyrshin.ieml.ru> (raw)
In-Reply-To: <m3abqh0zfa.fsf@vvk.distance.ru>
Vladimir V. Kamarzin (Thu, 18 Oct 2007 11:22:49 +0600):
> >> Пример блокировки ssh от asy@:
> >>
> >> # cat /etc/net/ifaces/top/fw/iptables/filter/INPUT
> >> [...]
> >> # ssh restriction
> >> -p TCP --syn --dport 22 -s xxx.xxx.xxx.0/28 -j ACCEPT
> >> -p TCP --syn --dport 22 -m recent --name ssh_rate_limit --set
> >> -p TCP --syn --dport 22 -m recent --name ssh_rate_limit --update
> >> --seconds 60 --hitcount 4 -j LOG
> >> -p TCP --syn --dport 22 -m recent --name ssh_rate_limit --update
> >> --seconds 60 --hitcount 4 -j DROP
>
> TB> А в последнем случае не лучше будет --rcheck вместо --update ?
> TB> Иначе каждый syn будет считаться дважды.
>
> Как вы это определили?
>
Выдержка из man-а:
---
[!] --rcheck
Check if the source address of the packet is currently in
the list.
[!] --update
Like --rcheck, except it will update the "last seen"
timestamp if it matches.
---
Правда, с другой стороны:
---
[!] --hitcount hits
This option must be used in conjunction with one of
--rcheck or --update. When used, this will nar-
row the match to only happen when the address is in the
list and packets had been received greater
than or equal to the given value. This option may be used
along with --seconds to create an even
narrower match requiring a certain number of hits within
a specific time frame.
---
Не совсем понятно, считает он сами пакеты (в этом случае,
действительно, не важно сколько раз --update встречается в цепочке) или
же совпадения правила?
next prev parent reply other threads:[~2007-10-18 6:46 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-10 5:37 Timur Batyrshin
2007-10-10 5:45 ` Anton Gorlov
2007-10-10 5:48 ` Mikhail A. Pokidko
2007-10-10 5:54 ` Avramenko Andrew
2007-10-10 6:14 ` Timur Batyrshin
2007-10-10 6:07 ` Aleksey Avdeev
2007-10-10 6:38 ` Timur Batyrshin
2007-10-10 6:20 ` Avramenko Andrew
2007-10-10 6:39 ` Timur Batyrshin
2007-10-10 5:55 ` Michael Shigorin
2007-10-10 6:23 ` Vladimir V. Kamarzin
2007-10-17 13:05 ` Timur Batyrshin
2007-10-18 5:22 ` Vladimir V. Kamarzin
2007-10-18 6:46 ` Timur Batyrshin [this message]
2007-10-10 6:32 ` Anton Kvashin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071018104643.7f788fc1@batyrshin.ieml.ru \
--to=batyrshin@ieml.ru \
--cc=sysadmins@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux sysadmins discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \
sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com
public-inbox-index sysadmins
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sysadmins
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git