|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: iptables & tcp wrappers
From: Luis M (lemsx1
latinomixed.com)
Date: Mon Oct 04 2004 - 20:40:20 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2004-10-04 at 17:20 +0100, Thomas Chiverton wrote:
> On Sunday 03 Oct 2004 02:12 am, you said:
> > sshd ssh: ALL : spawn ( /etc/firestarter/slap-this-bitch %a %d ) & :
> > DENY # spawns a process that adds the offending IP to the blocked-hosts
>
> Handy DoS there if I can send packets faster than you can spawn and restart
> the firewall, no ?
Indeed it is possible, so this is not intended for a production server
that handles a lot of requests per second.
Now, it takes a few milliseconds to reload the script that enables the
blocked-hosts file (and as you can see this spawn'ed process is sent to
the background with the ampersand (&)); this means that if you do a lot
of requests before the process is spawn'ed, the server will hold traffic
to sshd for all sub-sequent requests (a mini-DoS you might say).
However, a few milliseconds later you will be blocked for that IP, thus
you will be forced to change IPs to continue DoS'ing the box.
To minimize the possibility of DoS, this rule is the last in the
hosts.allow file. And all other public services (ports) are declared
before this rule. Yet, you have a point in that it may create a
temporary DoS.
In practice what I have seen is that IPs might get logged twice in the
blocked-hosts file, but no more. And I have never been prevented to
access any of the servers for which this rule is enabled.
--
----)(-----
Luis M
System Administrator
LatinoMixed.com
lemsx1latinomixed.com
One person's error is another person's data.
http://www.latinomixed.com/
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]