[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Fedora] Re: Blocking SSH ... BUT...

On Tue, 2007-09-18 at 12:09 -0700, Mike Wright wrote:
> Ashley M. Kirchner wrote:
> > Mike Wright wrote:
> > 
> >> Allow your subnets before the above rules.  Here's a sample rule:
> >>
> >> -A INPUT -s -p tcp --dport 22 --syn -j ACCEPT
> >> # subnet    ^^^^^^^^^^^
> >>
> >> You'd need one rule for each subnet.
> >>
> >> hth
> > 
> > 
> >    Awesome Mike, that worked like a charm.  Thanks!
> Very welcome.
> > 
> >    Somewhat related question: would the same rules work for ftp attacks 
> > as well?  Obviously replacing the port number with 21, but would they 
> > work?  Duplicate the lines, replace port and hope that ftp also gets 
> > curbed the same way?
> > 
> I think so.  I know that there are connection tracking issues with ftp 
> but I don't think that applies here.  Each connection starts with an 
> initial NEW packet.

You need a 'stateful' rule and both tcp ports 20 and 21 opened for your
network (or at least 21, depending on how your ftp server is
configured). I'll explain why:

when client initiate connection to ftp server it will get back an high
number port on which it will transfer the data, therefore it will
initiate a new connection on that port. The new port number is random,
so you cannot possibly now it. However, this connection is not entirely
new: it will be related to the first connection on port 21. So the rule
would need to be something like:

-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

But, since you are using ssh, I suggest start using also sftp for file
transfer: much more secure, encrypted, no plain text passwords and only
tcp port 22 opened in firewall.

Calin Cosma

It may be bad manners to talk with your mouth full, but it isn't too
good either if you speak when your head is empty.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]