Am 09.04.2014 23:33, schrieb Juergen Christoffel: > On Wed, Apr 09, 2014 at 09:24:25PM +0200, Reindl Harald wrote: >> >> iptables logging needs to be rate-limit always because how it works >> otherwise you have a problem the first time it really happens seriously > > Using limits is sensible, yes. But > >> -m limit --limit 1/m > > this might be a bit too restrictive to gather data on attempts at > heartbleeding. And --hashlimit might be more appropriate too as it keeps a > counter per IP address.
agreed and thanks for the --hashlimit option, after a large DDOS attack from more than 10000 IP addresses i got that restrictive :-) sadly i can't confirm that it works because testing with http://filippo.io/Heartbleed/ don't produce any log-entry and since iptables lives on the deeper layer then httpd it should cry even on patched machines................ iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32 "52=0x18030000:0x1803FFFF" -m limit --limit 5/h -j LOG --log-level debug --log-prefix "Firewall: Heartbleed" iptables -A INPUT ! -i lo -p tcp -m multiport --destination-port 443,993,995 -m u32 --u32 "52=0x18030000:0x1803FFFF" -j DROP __________________________________________________________________________________________________________________ iptables --list --numeric --verbose 0 0 LOG tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 multiport dports 443,993,995 u32 "0x34=0x18030000:0x1803ffff" limit: avg 5/hour burst 5 LOG flags 0 level 7 prefix "Firewall: Heartbleed" 0 0 DROP tcp -- !lo * 0.0.0.0/0 0.0.0.0/0 multiport dports 443,993,995 u32 "0x34=0x18030000:0x1803ffff" __________________________________________________________________________________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
