[Fedora] Re: Blocking SSH ... BUT...
kalinix
calin.kalinix.cosma at gmail.com
Tue Sep 18 23:22:13 UTC 2007
On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote:
> Ashley M. Kirchner wrote:
> > Mike Wright wrote:
> >
> >> Allow your subnets before the above rules. Here's a sample rule:
> >>
> >> -A INPUT -s 10.0.0.0/24 -p tcp --dport 22 --syn -j ACCEPT
> >> # subnet ^^^^^^^^^^^
> >>
> >> You'd need one rule for each subnet.
> >>
> >> hth
> >
> >
> > Awesome Mike, that worked like a charm. Thanks!
>
> Very welcome.
> >
> > Somewhat related question: would the same rules work for ftp attacks
> > as well? Obviously replacing the port number with 21, but would they
> > work? Duplicate the lines, replace port and hope that ftp also gets
> > curbed the same way?
> >
>
> I think so. I know that there are connection tracking issues with ftp
> but I don't think that applies here. Each connection starts with an
> initial NEW packet.
>
You need a 'stateful' rule and both tcp ports 20 and 21 opened for your
network (or at least 21, depending on how your ftp server is
configured). I'll explain why:
when client initiate connection to ftp server it will get back an high
number port on which it will transfer the data, therefore it will
initiate a new connection on that port. The new port number is random,
so you cannot possibly now it. However, this connection is not entirely
new: it will be related to the first connection on port 21. So the rule
would need to be something like:
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
But, since you are using ssh, I suggest start using also sftp for file
transfer: much more secure, encrypted, no plain text passwords and only
tcp port 22 opened in firewall.
Calin Cosma
=================================================
It may be bad manners to talk with your mouth full, but it isn't too
good either if you speak when your head is empty.
More information about the fedora-list
mailing list