Mailinglist Archive: opensuse (5130 mails)

< Previous Next >
Re: [SLE] Intrusion attempts and hosts.deny/hosts.allow
  • From: Leendert Meyer <leen.meyer@xxxxxxx>
  • Date: Fri, 19 May 2006 15:51:34 +0200
  • Message-id: <200605191551.34842.leen.meyer@xxxxxxx>
On Friday 19 May 2006 15:13, Darryl Gregorash wrote:
> On 19/05/06 01:52, Leendert Meyer wrote:
> > <snip>
> >[...]
> >
> >Here's another option:
> >
> >You could also use the TARPIT extension from patch-o-matic. See
> >http://www.netfilter.org/patch-o-matic/pom-extra.html, 4th item. This
> >requires recompiling the kernel.
> >
> >iptables already knows about TARPIT (man iptables), all it needs is the
> > TARPIT kernel module.
>
> I couldn't find "TARPIT" in man iptables.

leen@ws-03:/home/leen> man iptables | grep -n TARPIT
Reformatting iptables(8), please wait...
1695: iptables -A INPUT -p tcp -m tcp --dport 80 -j TARPIT
1702: iptables -A FORWARD -p tcp -j TARPIT
1706: NOTE: If you use the conntrack module while you are using TARPIT,
you
1708: sarily allocate resources for each TARPITted
connection. To
1709: TARPIT incoming connections to the standard IRC port while
using
1714: iptables -A INPUT -p tcp --dport 6667 -j TARPIT

> It's probably not something you'd want to use with SuSEfirewall anyway,
> because that requires the conntrack module,

Requires? Hmm, really? (I know about the warnings, i.e. you should avoid using
conntrack with tarpit, because /then/ tarpit will use resources; without
conntrack it doesn't.)

> whereas netfilter.org suggests that using both at the same time is probably
a massive waste of resources.

from the manpage:

> NOTE:
> If you use the conntrack module while you are using TARPIT, you should
> also use the NOTRACK target, or the kernel will unnecessarily allocate
> resources for each TARPITted connection. To TARPIT incoming connections to
> the standard IRC port while using conntrack, you could: iptables -t raw -A
> PREROUTING -p tcp --dport 6667 -j NOTRACK
> iptables -A INPUT -p tcp --dport 6667 -j TARPIT

(I only learned from the 'NOTRACK' target just today, so I'm not sure if it
needs another kernel patch... 'grep -ir notrack' in the pach-o-matic sources
yields nothing, so I guess not.)

> Other than that little hiccup, it looks like a rather elegant
> solution to this sort of problem.

Yes, it does. Too bad it's not in the kernel.

Cheers,

Leen

< Previous Next >
Follow Ups