Mailinglist Archive: opensuse (5130 mails)

< Previous Next >
Re: [SLE] Intrusion attempts and hosts.deny/hosts.allow
  • From: Leendert Meyer <leen.meyer@xxxxxxx>
  • Date: Sat, 20 May 2006 11:14:24 +0200
  • Message-id: <200605201114.24791.leen.meyer@xxxxxxx>
On Saturday 20 May 2006 05:23, Darryl Gregorash wrote:
> On 19/05/06 07:51, Leendert Meyer wrote:
> >On Friday 19 May 2006 15:13, Darryl Gregorash wrote:
> >> <snip>
> >>I couldn't find "TARPIT" in man iptables.
> >
> >leen@ws-03:/home/leen> man iptables | grep -n TARPIT
> >Reformatting iptables(8), please wait...
> >1695: iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
>
> Which version are you running? I have SuSE 9.3 with iptables 1.3.1-3. Or
> is there an updated manpage in the tarpit module source?

SL-10.1 - still smelling fresh

> >>It's probably not something you'd want to use with SuSEfirewall anyway,
> >>because that requires the conntrack module,
> >
> >Requires? Hmm, really? (I know about the warnings, i.e. you should avoid
> > using conntrack with tarpit, because /then/ tarpit will use resources;
> > without conntrack it doesn't.)
>
> Yes, requires -- there is "-m state --state <blah>" all over the place,
> which requires conntrack.

You're talking about /your/ firewall script, right?

> >>a massive waste of resources.
> >
> >from the manpage:
> >>NOTE:
> >> If you use the conntrack module while you are using TARPIT, you should
> >>also use the NOTRACK target, or the kernel will unnecessarily allocate
> >>resources for each TARPITted connection. To TARPIT incoming connections
> >> to the standard IRC port while using conntrack, you could: iptables -t
> >> raw -A PREROUTING -p tcp --dport 6667 -j NOTRACK
> >> iptables -A INPUT -p tcp --dport 6667 -j TARPIT
>
> This is the ticket. Looks like netfilter.org needs to update a webpage
> or two though :-) -- without the conntrack module, iptables is just
> another stateless firewall, an improvement over ipchains (and a quantum
> leap over ipfwadm) but not much else. The conntrack modules (there is
> also conntrack_ftp) turn iptables into a very nice stateful firewall,

Did some reading on Wikipedia: Firewall_(networking) and iptables. Ftp is an
example where a statefull firewall comes in handy.

> something I for one would be very reluctant to give up just to simplify
> the problem of catching hack0rz and other sorts of slime.

I see now. Hmm, wouldn't that be something like plugging one hole with the
stop of another hole?

> > Too bad it's not in the kernel.
>
> So a few thousand emails to Linus should take care of that :-)

Or know the right people who know the right...

Cheers,

Leen

< Previous Next >