Rozdíly

Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.

--- linux:net:firewall [12.06.2007 10:26]
mtalma
+++ linux:net:firewall [13.03.2020 18:43] (aktuální)
@@ Řádek 6: / Řádek 6: @@
   * firewall na základě scriptu [[http://www.petricek.cz/mpfw/|M.Petříčka]]
   * jednotlivé díly na publikované na [[http://www.root.cz|ROOT]]u: [[http://www.root.cz/clanek.phtml?id=980|1]], [[http://www.root.cz/clanek.phtml?id=990|2]],[[http://www.root.cz/clanek.phtml?id=995|3]]
 ===== Petříček =====
@@ Řádek 231: / Řádek 232: @@
 </code>
+===== Dynamický blacklist =====
+  *dynamický blacklist pro SSH spojení - http://olivier.sessink.nl/publications/blacklisting/index.html
+<code bash>
+### Dynamic blacklist for SSH connection
+# create properREJECT chain that does different rejects for tcp/udp
+$IPTABLES -N properREJECT
+$IPTABLES -A properREJECT -p tcp -j REJECT --reject-with tcp-reset
+$IPTABLES -A properREJECT -j REJECT --reject-with icmp-port-unreachable
+#
+$IPTABLES -N blacklistdrop
+$IPTABLES -A blacklistdrop -j LOG --log-prefix "adding to BLACKLIST: "
+$IPTABLES -A blacklistdrop -m recent --name BLACKLIST --set -j DROP
+#
+#
+# on external hosts, do rate limiting on incoming ssh packets, and keep a blacklist for 30 seconds
+# this rule drops *any* packet if the IP is in the blacklist
+# icmp 'destination-unreachable' packets should not update BLACKLIST, because
+# they are generated by our own REJECT rule in the extern_out chain
+$IPTABLES -A extern_in -m recent --name BLACKLIST --update --seconds 120 -j DROP
+#
+# all *established* ssh connections simply continue
+$IPTABLES -A extern_in  -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
+#
+# *new* ssh connections are all put into a list 'sshconn', and if there are 3 such packets in 30 seconds
+# we send the package to chain 'blacklistdrop' which puts the IP in the blacklist
+$IPTABLES -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --rcheck --seconds 30 --hitcount 3 -j blacklistdrop
+#
+# if we have seen less then 3 such packets in the last 30 seconds we accept
+$IPTABLES -A extern_in  -p tcp --dport 22 -m state --state NEW -m recent --name sshconn --set -j ACCEPT
+#
+# if the destination address is in the blacklist, we REJECT *any* packet
+$IPTABLES -A extern_out -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j properREJECT
+#
+# outgoing we accept all ssh traffic, with connection tracking
+$IPTABLES -A extern_out -p tcp --sport 22 -m state --state ESTABLISHED,NEW,RELATED -j ACCEPT
+</code>
 ===== Odkazy =====
@@ Řádek 241: / Řádek 279: @@
-====== /etc/sysconfig/iptables ======
+===== /etc/sysconfig/iptables =====
 <code>
 *filter