Re: AW: patch: Port- and netscan detection for netfilter

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: "Gladewitz, Robert (FH)" <Robert.Gladewitz@fh-heidelberg.de>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: AW: patch: Port- and netscan detection for netfilter
Date: Mon, 19 Mar 2007 05:59:00 +0100	[thread overview]
Message-ID: <45FE1894.3070506@trash.net> (raw)
In-Reply-To: <DF74C782E6463841A9BD3322977588813532AB@FHCLUSRV-EX.dcs.fh-heidelberg.de>

Gladewitz, Robert (FH) wrote:
> The problem is, on the most attacks, the hacker try to get some information on the network. This module implements 3 different situations:

Putting aside the question of the usefulness of this, whats the
difference to using the three rules below?

> - Netscan (Scan more hosts on less ports)

iptables -A PREROUTING -m state --state NEW \
		       -m hashlimit --hashlimit-name netscan \
				    --hashlimit-mode dstip \
				    --hashlimit n/sec \
		       -j DROP

> - Portscan (Scan less Hosts and many ports)

iptables -A PREROUTING -m state --state NEW \
		       -m hashlimit --hashlimit-name portscan \
				    --hashlimit-mode dstport \
				    --hashlimit n/sec \
		       -j DROP

> - Combined Scan (Scan many Ports on many)

iptables -A PREROUTING -m state --state NEW \
		       -m hashlimit --hashlimit-name portnetscan \
				    --hashlimit-mode dstip,dstport \
				    --hashlimit n/sec \
		       -j DROP

next prev parent reply	other threads:[~2007-03-19  4:59 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-03-15 13:29 patch: Port- and netscan detection for netfilter Gladewitz, Robert (FH)
2007-03-16 15:40 ` Patrick McHardy
2007-03-16 16:37   ` Tim Gardner
2007-03-16 16:57     ` Patrick McHardy
2007-03-16 21:32     ` Jan Engelhardt
2007-03-16 22:17       ` Gladewitz, Robert (FH)
2007-03-17  0:37         ` Jan Engelhardt
2007-03-16 21:29   ` Jan Engelhardt
2007-03-16 22:29   ` AW: " Gladewitz, Robert (FH)
2007-03-19  4:59     ` Patrick McHardy [this message]
2007-03-19 13:12       ` AW: " Gladewitz, Robert (FH)
2007-03-20 16:30         ` Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45FE1894.3070506@trash.net \
    --to=kaber@trash.net \
    --cc=Robert.Gladewitz@fh-heidelberg.de \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.