Re: DROP or REJECT?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: /dev/rob0 <rob0@gmx.co.uk>
To: netfilter@lists.netfilter.org
Subject: Re: DROP or REJECT?
Date: Sun, 20 Nov 2005 12:57:12 -0600	[thread overview]
Message-ID: <200511201257.12528.rob0@gmx.co.uk> (raw)
In-Reply-To: <000001c5ee00$f8343970$2801a8c0@MBRC40>

On Sunday 2005-November-20 12:33, Michael D. Berger wrote:
> For blocking various attacks on ports 22 and 80,
> I have been using:
>    -j REJECT --reject-with icmp-host-unreachable
> To minimize future attempts, is this best, or is
> there a better idea, such as DROP?

I doubt it matters much. I have seen, though, with my own approach of 
"-m limit --limit 3/min --limit-burst 3 -j ACCEPT" (followed by a DROP 
or REJECT rule) that -j REJECT does not always turn them away 
immediately, whereas with -j DROP they usually give up. But my REJECT 
uses the default, "--reject-with icmp-port-unreachable".

Insofar as concerns future attacks, as long as you have those ports 
open, you will have bots and worms knocking on them. They are nothing 
more than an annoyance if you have properly secured services.

I think the purpose of the SSH probes is to find more hosts from which 
to launch these probes. :) And some of them are put to work in phishing 
scams. The whole idea is to make it impossible to trace the phisher. 
They probably decide who to attack by doing a port scan on 22 of the 
entire Internet. When you're using stolen resources, there is no need 
to conserve.

HTTP probes are similar except most of those seem to target MS IIS. 
These are more likely to be operated by Internet mass-mail marketers, 
a/k/a spammers.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

     prev parent reply	other threads:[~2005-11-20 18:57 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-11-20 18:33 DROP or REJECT? Michael D. Berger
2005-11-20 18:44 ` Daniel
2005-11-20 18:57 ` /dev/rob0 [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200511201257.12528.rob0@gmx.co.uk \
    --to=rob0@gmx.co.uk \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.