All of lore.kernel.org
 help / color / mirror / Atom feed
* RE: tarpit before or after adding chain?
@ 2005-12-17  7:25 Gary W. Smith
  2005-12-17  9:17 ` Georgi Alexandrov
  0 siblings, 1 reply; 7+ messages in thread
From: Gary W. Smith @ 2005-12-17  7:25 UTC (permalink / raw)
  To: Eric, netfilter mailing list

It shouldn't matter.  You can add rules that jump to a chain, as long as
the chain exists, even if empty.  Then later you can add rules to that
chain.

This should also work as well.  We tarpit all data which should never
come through our firewalls.  We also disabled tracking for the same.  We
don't want the firewall wasting resources on this garbage.  Another
trick that we do is we also dedicate a high/low IP for catching things
like SQL, HTTP, VNC, RDC, etc.  This was things walking the network will
sometimes get hung, if they are not threaded.

YMMV (some of this is off the top of my head or pulled form a
iptables-save -- order is preserved, please consult man for exact
syntax)

iptables -t raw -A PREROUTING -i eth0 -p tcp -m multiport \
	--dports 135,139,445 -j NOTRACK

iptables -N filter_tarpit
iptables -A INPUT -i eth0 -j filter_tarpit
iptables -A FORWARD -i eth0 -j filter_tarpit

iptables -A filter_tarpit -p tcp -m multiport \
	--dports 135,139,445 \
	-j LOG --log-prefix "TARPIT: " --log-level 6
iptables -A filter_tarpit -p tcp -m multiport \
	--dports 135,139,445 -j TARPIT

Hope this helps, 

Gary Wayne Smith

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Eric
> Sent: Friday, December 16, 2005 10:20 PM
> To: netfilter mailing list
> Subject: tarpit before or after adding chain?
> 
> I'm a little confused about when to add the TARPIT trap.
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread
* RE: tarpit before or after adding chain?
@ 2005-12-17 17:27 Gary W. Smith
  0 siblings, 0 replies; 7+ messages in thread
From: Gary W. Smith @ 2005-12-17 17:27 UTC (permalink / raw)
  To: Georgi Alexandrov, netfilter

We have a class /21 block so it's more than a few a day for us.  So I
just do it for general purposes.  But yes, you do not have to drop
connection tracking for this.  In our case, it's a couple per second and
our connection tracking gets filled up pretty quick. 

But just because he is running Linux doesn't make this invalid.  We use
Linux boxes to slow people from hitting the windows boxes with their
afflicted boxes.  So it suddenly makes sense to do what he is doing if
he is using it in that capacity.

When these rules go off on our boxes we use it to build out temporary
filter rules as well using some scripts.   

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Georgi Alexandrov
> Sent: Saturday, December 17, 2005 1:18 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: tarpit before or after adding chain?
> 
> Gary W. Smith wrote:
> 
> >This should also work as well.  We tarpit all data which should never
> >come through our firewalls.  We also disabled tracking for the same.
We
> >don't want the firewall wasting resources on this garbage.  Another
> >trick that we do is we also dedicate a high/low IP for catching
things
> >like SQL, HTTP, VNC, RDC, etc.  This was things walking the network
will
> >sometimes get hung, if they are not threaded.
> >
> >
> I don't think that his *one or two per day* cmd.exe automatic scans
will
> get "through his firewall",
> or will "waste resources".
> Maybe filling your firewall with those useless rules will waste more
> resources? ;-)
> 
> *Think again* (as seen in the national geographic channel)
> 
> 
> regards,
> Georgi Alexandrov



^ permalink raw reply	[flat|nested] 7+ messages in thread
* tarpit before or after adding chain?
@ 2005-12-17  6:19 Eric
  2005-12-17  9:13 ` Georgi Alexandrov
  0 siblings, 1 reply; 7+ messages in thread
From: Eric @ 2005-12-17  6:19 UTC (permalink / raw)
  To: netfilter mailing list

I'm a little confused about when to add the TARPIT trap.

iptables -N SPECIAL # add special chain for tarpit usage

*HERE*?
iptables -A SPECIAL -p tcp -j TARPIT

#
# the following string match rules screen out nimda and other crap
#
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "/default.ida?"     -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string ".exe?/c+dir"       -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string ".exe?/c+tftp"      -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "cmd.exe"           -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "vti_bin"           -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "nsiislog.dll"      -j SPECIAL
iptables -A INPUT -i eth0 -p tcp  --dport 80 -m string --algo bm 
--string "click-network.com" -j SPECIAL

*OR HERE?*
iptables -A SPECIAL -p tcp -j TARPIT

Thanks
Eric


^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2006-01-03  7:24 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-17  7:25 tarpit before or after adding chain? Gary W. Smith
2005-12-17  9:17 ` Georgi Alexandrov
  -- strict thread matches above, loose matches on Subject: below --
2005-12-17 17:27 Gary W. Smith
2005-12-17  6:19 Eric
2005-12-17  9:13 ` Georgi Alexandrov
2005-12-18  6:44   ` Leonardo Rodrigues Magalhães
2006-01-03  7:24   ` Jan Engelhardt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.