iptables recent / more than one exception

[Reindl Harald]

Am 04.05.2012 11:37, schrieb jdow:
> But, then, I note your setting with --recent is not nearly as stringent as
> mine. Any given address gets one connection per minute to ssh. That VASTLY
> slows down dictionary attacks. Yours is a significant slow down; but, not
> so much that somebody could not, as you put it, nibble around the edges to
> get in. You have slowed down such attacks, though. That is good.
> 
> It would be handy if there was an iptables rule that allowed skipping the
> next rule in order if the special rule hit. Alas, I am unaware of such a
> trick potential.

my sshd has a sepearte rule

the intention of this rule is not to block
it is a rate-control against DOS attacks

since we had "Anonymous" with a distributed DOS attack last
week i can say it works damned good - after replacing a
burned down router :-)

clearly you can not stand the whole DDOS from some thousand
source IPs but it gives you enough time to filter them for
a DROP rule - without this ratecontrol you could not
operate on the machine

before the DDOS it was limited to 100 connections/ip/second
which results in "ab -c 50 -n 50000 http://host-on-machine/"
raise CPU load up to 100% for a short time, go down to 50%
and changing between this both states (sorry baout bad english)

with 75 instead of 100 evebn a "ab -c 4 -n 1000" is completly
broken from outside the own network because "apache benchmark"
thinks the host is dead after 83 connections and stops due too
many errors - well, i guess exactly that is the problem for
Nessus/OpenVAS and such software from outside now

they triggered it all time before with portscans but only
not notice


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20120504/1e757abd/attachment.sig>