Mailinglist Archive: opensuse (5130 mails)

< Previous Next >
Re: [SLE] Intrusion attempts and hosts.deny/hosts.allow
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Fri, 19 May 2006 21:23:30 -0600
  • Message-id: <446E8BB2.3090908@xxxxxxxxxxxxx>
On 19/05/06 07:51, Leendert Meyer wrote:
>On Friday 19 May 2006 15:13, Darryl Gregorash wrote:
>
>> <snip>
>>I couldn't find "TARPIT" in man iptables.
>>
>
>leen@ws-03:/home/leen> man iptables | grep -n TARPIT
>Reformatting iptables(8), please wait...
>1695: iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
>

Which version are you running? I have SuSE 9.3 with iptables 1.3.1-3. Or
is there an updated manpage in the tarpit module source?
>>It's probably not something you'd want to use with SuSEfirewall anyway,
>>because that requires the conntrack module,
>>
>
>Requires? Hmm, really? (I know about the warnings, i.e. you should avoid using
>conntrack with tarpit, because /then/ tarpit will use resources; without
>conntrack it doesn't.)
>

Yes, requires -- there is "-m state --state <blah>" all over the place,
which requires conntrack.
>>a massive waste of resources.
>from the manpage:
>
>
>>NOTE:
>> If you use the conntrack module while you are using TARPIT, you should
>>also use the NOTRACK target, or the kernel will unnecessarily allocate
>>resources for each TARPITted connection. To TARPIT incoming connections to
>>the standard IRC port while using conntrack, you could: iptables -t raw -A
>>PREROUTING -p tcp --dport 6667 -j NOTRACK
>> iptables -A INPUT -p tcp --dport 6667 -j TARPIT
>>
This is the ticket. Looks like netfilter.org needs to update a webpage
or two though :-) -- without the conntrack module, iptables is just
another stateless firewall, an improvement over ipchains (and a quantum
leap over ipfwadm) but not much else. The conntrack modules (there is
also conntrack_ftp) turn iptables into a very nice stateful firewall,
something I for one would be very reluctant to give up just to simplify
the problem of catching hack0rz and other sorts of slime.
> Too bad it's not in the kernel.
>

So a few thousand emails to Linus should take care of that :-)


< Previous Next >
Follow Ups