Debian DokuWiki

User Tools

Site Tools

Trace: add_ssh_key_to_multiple_host building_mariadb_on_freebsd oracle_coherence
iptables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
iptables [2010/02/04 21:51] k2pateliptables [2020/08/10 02:35] (current) – external edit 127.0.0.1
Line 10: Line 10:
 <code bash> <code bash>
 iptables -N BRTBLK iptables -N BRTBLK
-iptables -A INPUT -p tcp --dport 22 -m state state NEW -j BRTBLK +iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK 
-iptables -A BRTBLK -m recent set name SSH +iptables -A BRTBLK -m recent --set --name SSH 
-iptables -A BRTBLK -m recent update seconds 45 hitcount 5 name SSH -j DROP+iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
 </code> </code>
  
Line 21: Line 21:
 <code bash> <code bash>
 iptables -N BRTBLK iptables -N BRTBLK
-iptables -A INPUT -p tcp dport 22 -s <Exception> -j ACCEPT +iptables -A INPUT -p tcp --dport 22 -s <Exception> -j ACCEPT 
-iptables -A INPUT -p tcp --dport 22 -m state state NEW -j BRTBLK +iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j BRTBLK 
-iptables -A BRTBLK -m recent set name SSH +iptables -A BRTBLK -m recent --set --name SSH 
-iptables -A BRTBLK -m recent update seconds 45 hitcount 5 name SSH -j DROP+iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
 </code> </code>
  
Line 34: Line 34:
 iptables -A BRTBLK -m recent --set --name SSH iptables -A BRTBLK -m recent --set --name SSH
 iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j LOG --log-level info --log-prefix "Bad IP : " iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j LOG --log-level info --log-prefix "Bad IP : "
-iptables -A BRTBLK -m recent --update --seconds 45 hitcount 5 --name SSH -j DROP+iptables -A BRTBLK -m recent --update --seconds 45 --hitcount 5 --name SSH -j DROP
 </code> </code>
 +
 +==== Force SYN packets check ====
 +Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
 +
 +<code bash>
 +iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 +</code>
 +
 +==== Force Fragments packets check ====
 +Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
 +
 +<code bash>
 +iptables -A INPUT -f -j DROP
 +</code>
 +
 +==== XMAS packets ====
 +Incoming malformed XMAS packets drop them:
 +
 +<code bash>
 +iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 +</code>
 +
 +==== Drop all NULL packets ====
 +Incoming malformed NULL packets:
 +
 +<code bash>
 +iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 +</code>
 +
 +
 +==== xt_recent ====
 +
 +In latest version ipt_recent replaced by xt_recent.\\
 +there is few change which could break your iptables rules.\\
 +In order to make ssh bruteforce protection working please use following rules.\\
 +this also effect Fedora 15 and latest iptables / kernel
 +
 +<code bash>
 +:SSH - [0:0]
 +:BRTBLK - [0:0]
 +
 +
 +-A INPUT -p tcp -m multiport --dports 21,22 -m recent --update --seconds 8600 --name SSH_BAN --rsource -j DROP 
 +-A INPUT -p tcp -m multiport --dports 21,22 -m state --state NEW -j BRTBLK 
 +
 +-A SSH -m limit --limit 5/min -j LOG --log-prefix "BAD IP: " --log-level 4 
 +-A SSH -m recent --set --name SSH_BAN --rsource -j DROP 
 +
 +-A BRTBLK -m recent --set --name BRT --rsource 
 +-A BRTBLK -m recent --update --seconds 600 --hitcount 16 --name BRT --rsource -j SSH 
 +-A BRTBLK -m recent --update --seconds 60 --hitcount 4 --name BRT --rsource -j SSH 
 +-A BRTBLK -j ACCEPT 
 +</code>
 +
 +Now try to login to box 4 times quickly to test.\\
 +For more advanced Options please visit [[http://www.thatsgeeky.com/2011/02/escalating-consequences-with-iptables/ | Th4tsG33ky]]
iptables.1265320282.txt.gz · Last modified: 2020/08/10 02:30 (external edit)