[Fedora] Re: Blocking SSH ... BUT...

[kalinix]

On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote:
> Ashley M. Kirchner wrote:
> > Mike Wright wrote:
> > 
> >> Allow your subnets before the above rules.  Here's a sample rule:
> >>
> >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
> >> # subnet    ^^^^^^^^^^^
> >>
> >> You'd need one rule for each subnet.
> >>
> >> hth
> > 
> > 
> >    Awesome Mike, that worked like a charm.  Thanks!
> 
> Very welcome.
> > 
> >    Somewhat related question: would the same rules work for ftp attacks 
> > as well?  Obviously replacing the port number with 21, but would they 
> > work?  Duplicate the lines, replace port and hope that ftp also gets 
> > curbed the same way?
> > 
> 
> I think so.  I know that there are connection tracking issues with ftp 
> but I don't think that applies here.  Each connection starts with an 
> initial NEW packet.
> 

You need a 'stateful' rule and both tcp ports 20 and 21 opened for your
network (or at least 21, depending on how your ftp server is
configured). I'll explain why:

when client initiate connection to ftp server it will get back an high
number port on which it will transfer the data, therefore it will
initiate a new connection on that port. The new port number is random,
so you cannot possibly now it. However, this connection is not entirely
new: it will be related to the first connection on port 21. So the rule
would need to be something like:


-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

But, since you are using ssh, I suggest start using also sftp for file
transfer: much more secure, encrypted, no plain text passwords and only
tcp port 22 opened in firewall.



Calin Cosma

=================================================
It may be bad manners to talk with your mouth full, but it isn't too
good either if you speak when your head is empty.