* DROP or REJECT?
@ 2005-11-20 18:33 Michael D. Berger
2005-11-20 18:44 ` Daniel
2005-11-20 18:57 ` /dev/rob0
0 siblings, 2 replies; 3+ messages in thread
From: Michael D. Berger @ 2005-11-20 18:33 UTC (permalink / raw)
To: netfilter
For blocking various attacks on ports 22 and 80,
I have been using:
-j REJECT --reject-with icmp-host-unreachable
To minimize future attempts, is this best, or is
there a better idea, such as DROP?
Thanks for your advice,
Mike.
--
Michael D. Berger
m.d.berger@ieee.org
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: DROP or REJECT?
2005-11-20 18:33 DROP or REJECT? Michael D. Berger
@ 2005-11-20 18:44 ` Daniel
2005-11-20 18:57 ` /dev/rob0
1 sibling, 0 replies; 3+ messages in thread
From: Daniel @ 2005-11-20 18:44 UTC (permalink / raw)
To: netfilter
hm.... I think sending "host unreachable" from the host which should not be
reachable is not what you want. Alos sending "host unreachable" will increase
your traffic (not much, but it did :) ).
But I think most "attack" tools will ignore trys to make yourself invisible.
greez
Daniel
Am Sonntag, 20. November 2005 19:33 schrieb Michael D. Berger:
> For blocking various attacks on ports 22 and 80,
> I have been using:
> -j REJECT --reject-with icmp-host-unreachable
> To minimize future attempts, is this best, or is
> there a better idea, such as DROP?
> Thanks for your advice,
> Mike.
> --
> Michael D. Berger
> m.d.berger@ieee.org
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: DROP or REJECT?
2005-11-20 18:33 DROP or REJECT? Michael D. Berger
2005-11-20 18:44 ` Daniel
@ 2005-11-20 18:57 ` /dev/rob0
1 sibling, 0 replies; 3+ messages in thread
From: /dev/rob0 @ 2005-11-20 18:57 UTC (permalink / raw)
To: netfilter
On Sunday 2005-November-20 12:33, Michael D. Berger wrote:
> For blocking various attacks on ports 22 and 80,
> I have been using:
> -j REJECT --reject-with icmp-host-unreachable
> To minimize future attempts, is this best, or is
> there a better idea, such as DROP?
I doubt it matters much. I have seen, though, with my own approach of
"-m limit --limit 3/min --limit-burst 3 -j ACCEPT" (followed by a DROP
or REJECT rule) that -j REJECT does not always turn them away
immediately, whereas with -j DROP they usually give up. But my REJECT
uses the default, "--reject-with icmp-port-unreachable".
Insofar as concerns future attacks, as long as you have those ports
open, you will have bots and worms knocking on them. They are nothing
more than an annoyance if you have properly secured services.
I think the purpose of the SSH probes is to find more hosts from which
to launch these probes. :) And some of them are put to work in phishing
scams. The whole idea is to make it impossible to trace the phisher.
They probably decide who to attack by doing a port scan on 22 of the
entire Internet. When you're using stolen resources, there is no need
to conserve.
HTTP probes are similar except most of those seem to target MS IIS.
These are more likely to be operated by Internet mass-mail marketers,
a/k/a spammers.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-11-20 18:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-20 18:33 DROP or REJECT? Michael D. Berger
2005-11-20 18:44 ` Daniel
2005-11-20 18:57 ` /dev/rob0
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox