Re: iptables & tcp wrappers
From: Luis M (lemsx1_at_latinomixed.com)
To: Thomas Chiverton <email@example.com> Date: Mon, 04 Oct 2004 21:40:20 -0400
On Mon, 2004-10-04 at 17:20 +0100, Thomas Chiverton wrote:
> On Sunday 03 Oct 2004 02:12 am, you said:
> > sshd ssh: ALL : spawn ( /etc/firestarter/slap-this-bitch %a %d ) & :
> > DENY # spawns a process that adds the offending IP to the blocked-hosts
> Handy DoS there if I can send packets faster than you can spawn and restart
> the firewall, no ?
Indeed it is possible, so this is not intended for a production server
that handles a lot of requests per second.
Now, it takes a few milliseconds to reload the script that enables the
blocked-hosts file (and as you can see this spawn'ed process is sent to
the background with the ampersand (&)); this means that if you do a lot
of requests before the process is spawn'ed, the server will hold traffic
to sshd for all sub-sequent requests (a mini-DoS you might say).
However, a few milliseconds later you will be blocked for that IP, thus
you will be forced to change IPs to continue DoS'ing the box.
To minimize the possibility of DoS, this rule is the last in the
hosts.allow file. And all other public services (ports) are declared
before this rule. Yet, you have a point in that it may create a
In practice what I have seen is that IPs might get logged twice in the
blocked-hosts file, but no more. And I have never been prevented to
access any of the servers for which this rule is enabled.
-- ----)(----- Luis M System Administrator LatinoMixed.com firstname.lastname@example.org One person's error is another person's data. http://www.latinomixed.com/