* [LARTC] Hammer protection
@ 2002-07-01 12:40 Joachim Wickman
2002-07-01 13:00 ` Tobias Geiger
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Joachim Wickman @ 2002-07-01 12:40 UTC (permalink / raw)
To: lartc
Hi,
Is it possible to use iptables as hammeprotection ?
I want to deny a user who has just logged off .. for about 10seconds.
I tried with this, but that didn't work. Maybe my mind is going completely in the wrong direction today? =)
iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m limit --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j ACCEPT
Greetings,
Joachim
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] Hammer protection
2002-07-01 12:40 [LARTC] Hammer protection Joachim Wickman
@ 2002-07-01 13:00 ` Tobias Geiger
2002-07-01 17:51 ` Sebastian 'spax' Pape
2002-07-01 20:12 ` Joachim Wickman
2 siblings, 0 replies; 4+ messages in thread
From: Tobias Geiger @ 2002-07-01 13:00 UTC (permalink / raw)
To: lartc
> Hi,
>
> Is it possible to use iptables as hammeprotection ?
>
> I want to deny a user who has just logged off .. for about 10seconds.
>
i think this is a application-logic-thing which can't be implemented that
easy only by one iptables-line
> I tried with this, but that didn't work. Maybe my mind is going
> completely in the wrong direction today? =)
>
> iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m limit
> --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j ACCEPT
>
this rule blocks (afaik) every request after the 10th/second, no matter
s.o logged off or on ...
i think what u want must be done on application-level
or with an "magic) (and dirty) script which watches the ftp-log if s.o
loggs off, grep's it's ip and then blocks it for 10 seconds
but that not only sounds ugly :)
> Greetings,
>
> Joachim
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Hammer protection
2002-07-01 12:40 [LARTC] Hammer protection Joachim Wickman
2002-07-01 13:00 ` Tobias Geiger
@ 2002-07-01 17:51 ` Sebastian 'spax' Pape
2002-07-01 20:12 ` Joachim Wickman
2 siblings, 0 replies; 4+ messages in thread
From: Sebastian 'spax' Pape @ 2002-07-01 17:51 UTC (permalink / raw)
To: lartc
hi Joachim,
> I want to deny a user who has just logged off .. for about
> 10seconds.
I think you can only limit the number of syn-pakets like you already
proposed.
> I tried with this, but that didn't work. Maybe my mind is going
> completely in the wrong direction today? =)
>
> iptables -I INPUT -i eth0 -p tcp -s 0/0 -d $my_ip --dport 21 -m
> limit --limit 10/second --limit-burst 1 --tcp-flags ALL SYN -j
> ACCEPT
I'm not sure, but I think you just mixed the parameters up. --limit
10/second allows 10 SYN pakets per second so if you only want one
paket per 10 seconds you should perhaps try 6/minute or maybe say
1/minute and set the limit-bust to 3 or so.
best regards
Sebastian
--
Sebastian 'spax' Pape | I'm like time ... u can't stop me!
mailto: sebastian@p-a-p-e.de |
gpg: http://p-a-p-e.de/gpg.asc |
--- Do you want to know more? http://www.p-a-p-e.de/ ---
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] Hammer protection
2002-07-01 12:40 [LARTC] Hammer protection Joachim Wickman
2002-07-01 13:00 ` Tobias Geiger
2002-07-01 17:51 ` Sebastian 'spax' Pape
@ 2002-07-01 20:12 ` Joachim Wickman
2 siblings, 0 replies; 4+ messages in thread
From: Joachim Wickman @ 2002-07-01 20:12 UTC (permalink / raw)
To: lartc
Hi
> I think you can only limit the number of syn-pakets like you already
> proposed.
I tried to switch the params as you said, but no success. It took maybe a
minute before I did get in to the site, but after that I could logout and in
as fast as I wanted. (hammering)
Mabye the only way is the dirty scriptin to fetch the IP from the log then
:/
// Joachim
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-07-01 20:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-07-01 12:40 [LARTC] Hammer protection Joachim Wickman
2002-07-01 13:00 ` Tobias Geiger
2002-07-01 17:51 ` Sebastian 'spax' Pape
2002-07-01 20:12 ` Joachim Wickman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.