I think I should have written some explanations about it
We have several special user defined chains for discovering attacks:
Port scan detection
Syn-flood protection
Ping of death
Mail protection
SSH bruteforce attack protection
FTP bruteforce attack protection
Each of these chains defends the corresponding service (or the server itself) from being attacked.
Also, each of them has a jump-to-ADDAPT-chain rule which is reached when an attack to a particular service is performed several times in a defined (relatively short) period of time. The "execution" of this rule leads to dropping *all* of the packets sent by the attacking IP for a relatively long period of time (1 hour in my script). The timer for this period is reseted on every incoming packet with source address of the attacking IP. This way the attacker's packets can be rejected for a *much* longer time than the specified in the "### ADAPTIVE TOTAL DROP ###" rule.
Last edited by VladSun on Mon Jul 14, 2008 1:52 am, edited 1 time in total.
There are 10 types of people in this world, those who understand binary and those who don't
In fact, firehol is just a wrapper around iptables - it would be easy for you to write firewalls in plain iptables rules.
And I did stress on the adaptiveness of the firewall - that's the important one
There are 10 types of people in this world, those who understand binary and those who don't
Hockey wrote:My development server sits behind a NAT router so I don't really concern myself about outside attacks, only internal screw ups on my behalf.
Probably you don't need one unless you are doing some port-forwarding.
Hockey wrote:I'm wondering though if my dedicated server could use this...if it doesn't already have a firewall -- I think it might though.
I'm not even remotely familiar with IP tables...everything above is just gibberish for the most part...your firewall certianly doesn' t have the easy feeling interface of ZoneAlarm, does it?
I'll re-read your explanation and then go over some articles and see if I can't understand it better and how everything fits togather.
p.s-I do use port forwarding but only for a few minutes a day to let people test my application then I close the ports.
Or drop the mouse all togather and have an iris tracking device move the cursor to wherever my eyes are and blinking should click...instead of typing the deivce should just pick up brain signals and over time build an entire vocabularly of words I frequently use and automatically inject them based on heuristics and a artificial intelligence algorithm that keeps getting smarter.
Honestly I would love to get rid of the mouse...it slows me down so much in my daily bump and grind...mastering accelerator keys is nice but way to verbose. I've wondered if any kinf o iris tracker exists which I could install on the top of my monitor and move the cursor with my eyes. That would be sweet. If I ever went into computer science for my masters, that would be my thesis.
This is a really neat script - thanks - exactly what I have been after.
However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?
(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).
If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.
This is a really neat script - thanks - exactly what I have been after.
However, i dont appear to have ipset available on my machine - is there a way of running without it - it seems to be just making sure that kernel records of currently active ip's in memory are flushed, renamed, etc as part of the firewall - what would be the impact if i just comment out all references to ipset in your script and use the iptables parts only?
(i think to install ipset i would neet to rebuild my kernel, which i would rather avoid at this point in time - i have enough problems to contend with at present without compounding them).
If you are still around, or if anyone else has an idea, your help wuold be very much appreciated.
cheers
ipset is used only for creating "white" IP lists (i.e. IP addresses marked as "safe") - you can remove all references to ipset and this firewall will be still working. But you must be more careful when trying to connect through it, otherwise you may become marked as attacker (i.e. don't send wrong passwords to your SSH server).
PS: You can substitute the "ipset-lines" with several per-IP lines.
Last edited by VladSun on Thu Aug 26, 2010 2:23 pm, edited 3 times in total.
There are 10 types of people in this world, those who understand binary and those who don't